GDPR and Protecting Privacy: Your baby's first word will be Data

GDPR and Protecting Privacy: Your baby's first word will be Data
High Monkey profile picture

By High Monkey, Our random thoughts collected

Categories: Learn

Take a listen as High Monkey’s Virgil Carroll and Liam Cleary from Protivity continue the conversation about the European Union’s General Data Protection Regulation (GDPR). Shifting from episode 2 where Virgil talked more about GDPR and how it relates to the customer facing side, in this episode Virgil and Liam will talk more about the companies receiving personal information and how to handle such data once you receive it. According to Liam Cleary, “One of the key things to focus on regarding GDPR is to make sure you understand how the data moves around and really how it integrates in other applications and systems that you might utilize it in.” Virgil and Liam discuss the importance of defining policies and procedures for the storage and management of data as well as how to keep people informed on how you are using their data. This podcast helps you to understand GDPR from the standpoint of collecting data and understanding the steps to becoming compliant with your own data practices.

 

For more Discussing Stupid, follow us on:

Twitter: https://twitter.com/DiscussStupid

Facebook: https://www.facebook.com/discussingstupid/

LinkedIn: https://www.linkedin.com/company/28164784/

And visit our website www.discussingstupid.com

For any questions email me@discussingstupid.com

 

Items Discussed:

https://www.protiviti.com/, https://azure.microsoft.com/en-us/, https://www.eugdpr.org/https://products.office.com/en-us/office365-lovepop , https://www.marketo.com/ , https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Compliance-Manager-Preview-is-now-available/ba-p/124662 , https://ec.europa.eu/eurostat/cros/ 

 

Host: Virgil Carroll – Twitter - @vcmonkey

Guest: Liam Cleary  – Twitter - @helloitsliam

Transcript:

Narrator: [00:00:00] Note this podcast does not discuss nor endorse the idea of discussing stupid ideas because we all know there are no stupid ideas.

Narrator: [00:00:13] Hello and welcome to discussing stupid. The podcast where we will tackle everything digitally stupid. From stupid users and the crazy things they do to stupid practices and the people who use them. We'll explore the stupid things we all do and maybe even come up with a few ideas on how to do things better. And now that I got your attention. Let's start discussing stupid.

Virgil: [00:00:41] Hello everybody and welcome back to the broadcast of the podcast. I'm Virgil Carroll the principle human solutions architect at High Monkey and your host. So with GDPR starting right around the corner I figured we would continue on with that theme as we did in episode 2 and kind of talk about it from a little bit different perspective. So those of you that have not had a chance to listen to episode 2 we talked about it from the perspective of how you actually do things on your website and some of the things you need to think of kind of from the customer facing side. Now we're going to talk a little bit more about GDPR and how you handle that data once you receive it. And some of the things you need to do and the practices behind the scenes because there's a lot of requirements out there in the GDPR and it's very important for you to understand that because if you don't that's probably where you're going to get nailed first as your mishandling of this personal data. So today joining with me is Liam Cleary who is the associate director and solution architect at Protivi and probably one of the foremost experts I know in the world of cyber security so I thought I'd bring Liam along and we could have a little chat about GDPR and really your data.

Virgil: [00:01:55] Hi Liam Thanks for joining us. Why don't we start out by introducing yourself telling us a little bit about who you are and why you actually have any experience in the world of data privacy.

Liam: [00:02:05] Okay that's a good question too. So Liam Cleary originally from the UK moved to the US about eight years ago. Originally worked in a large consulting firm then moved here and took a job at a smaller company and then kind of grown into working at Protivity now. As one of their architects. I kind of focus really on SharePoint Office 365 but around secuity more than anything else. That's kind of been one of my areas that stemmed from me being in the security team and stuff in my last job and kind of working my way through there. Yeah I blog about security all the time. I work with clients and we talk about things like that. So from the data privacy I also like to hack things too. So I kind of have to understand both sides of what should you do and then what shouldn't you do and then how do you get around that.

Virgil: [00:02:48] Yeah. So like I mentioned in the introduction I've known you for quite a while so this is probably the most formal discussion you and I have ever had.

Liam: [00:02:56] I actually feel uncomfortable now. haha

Virgil: [00:03:00] You know from kind of the GDPR is literally going to be out in just a couple of weeks probably from when this episode broadcast. You know I spent some time talking with David Komárek from Kentico software about kind of from a public Website side of what we need to think of from data privacy from that side and how the GDPR really affects that. I think one of the interesting things I'd really like to talk to you about is kind of looking at the other side not only our internal data but kind of what happens. So we've collected all this information about people in their personas and everything about them. What are some of the things that you're seeing and you're talking to your clients about from that kind of privacy perspective that they need to start thinking about.

Liam: [00:03:41] I think the first thing is seen lots of clients where they're really worried about GDPR but then they're not quite worried. Like really what that means they're kind of unsure as in how it's going to affect him like what's going to happen. Well does the data that they actually have even count and that's the first thing. One of the first things that we tend to find these people don't know where the data is. They don't know what they have. They think that their privacy data their PAI data is in that system over there. But in reality it could be in 27 different places. And so they spend a lot of time focusing on that one application and misunderstanding that the data is copied everywhere. Even your C-Drive, because people still store stuff there. So they have this data all over the place that they're worried about but they don't know how to get to it. They don't know what to do. And so most of the time people have sat on webinars, read blog posts about technologies that can fix that. But in reality that doesn't fix that because they have to understand first where the data is how it's being classified how it's been used because GDPR requirements dictate that you need to be able to say for example to you I have your data Virgil this is where I have it. This is where it's gone. That's why we use it. And that's how we use it and then am I Okay to use there. It's that kind of process.

Virgil: [00:05:00] So what kind of data does Protivity have of mine?

Liam: [00:05:03] Well I'm not talking on behalf of Protivity I may have lots of information about you. But GDPR doesn't cover that.

Virgil: [00:05:09] You know what you say there is such a mind boggling thing when we think about how data is out there. I mean you know how many times have you received something about somebody a client or a person or whatever like that. And you know you forwarded it to somebody else. I mean and now that's a data chain. So the big question is, is whether you're doing this out in the public world or you're doing this as some type of internal customer process or whatever it is. How do you even start that you say find where your data is. How do people even do that.

Liam: [00:05:39] I mean that's the hardest task the hardest task is how do you find everything that you've got. And so we rely on the fact that the other vendors of those applications provide you a mechanism to be able to find data. So you know if you're using SAP or service now or something else you expect that there's a service you can use and say I need to find everything about Liam, show me where it is. But then the internal processes is the much more complicated. You know how do you find the data on Liam that was sent like you said through e-mails. How do you find the stuff that's been stored in the shadow I.T. dropbox account that no one knows you have. Or how do you find that. And so there were tools available. It becomes a technology story. It means you are able to use things like data loss prevention tools that you can kind of plug in and say I want to scan this this this this and find all the information because you can't 100 percent comply with any of the GDPR rule-ins unless you know where it is first just pleading ignorance and going I don't know, it could be anywhere. That wont help you, because in the event of something happening they will mandate that you have to find that information in the first place.

Virgil: [00:06:44] Yeah I think that's one of the big things I see. I mean I.T. people just in general probably don't know where data is now. You start taking it up to the business level and these people just push things all the time and collect and move and all that kind of stuff. What's in our CRM what's in our you know Websites what's in all these different pieces? And I think that's kind of the real big challenge and I think that's going to be in my opinion if somebody actually gets gone after right away by one of the European Union countries that's where they're going to fall down in there. And so let's just say the scenario that we're not really sure. What are some of the other things we should do and one of the things I specifically want to talk about is going forward because to me and I realized kind of how it's written. But overall you also have that question of how much can you enforce a law that you put in place for things that happened before that law was in place and they talk about how everybody needs to get up to speed for the GDPR. So can they really come back and say well you did this ten years ago. We're going to fine you because of something you did 10 years ago versus going forward. So I think part of this is is that next data level what we're doing going forward and what are you kind of seeing around a lot of your client systems and that and how are you kind of helping them prepare to be able to take that step forward. That now we're actually doing things correctly.

Liam: [00:08:10] So I mean the first thing that's going to be interesting to see is like you said what happens on that deadline like on May the 25th, what's going to happen. Well nothing, it will be enforced but nothing's going to happen. Your not suddenly going to wake up and you suddenly get landed with a fine because how are they going to know. Nobody would ever know. But what's going to happen is there will be some instances where that will happen. Like for example kind of my personal opinion is one of the big boys will get hit with something just to show that GDPR can be enforced. But realistically for someone like me and you as a smaller company for example it's not going to happen. But we still need to be prepared for it. For that instance and it's not that the European Union or any of those commissions would come after you. It would be a regular joe bloggs. It would be me. So I'm one of these GDPR people because I'm not a U.S. citizen. I'm a European Union citizen. So a UK citizen so GDPR is for me. It's to protect my privacy and my data. And so I could if I wanted to come and say you know in six months time when GDPR kicks in I could come back and say hey Protivity I want you to show me everything that you have on me because that's my right as part of this process. I can ask and then if it wasn't satisfactory or they couldn't provide me with the information then I can make that GDPR filing and complaint. So that's the bit you're going to be able to cater for because you don't know what's going to happen but to cater for it and plan for it you have to at least as a minimum have policies and procedures defined for those things. So Microsoft has done a great job of this. So in the compliance manager piece that they've now released for their office 365 and Azure Stack they have all of the controls that Microsoft have done to become GDPR compliant and then you have the section that's your responsibility. Because just because you're using somebody else's service doesn't mean you become GDPR compliant just because you're using that and the Microsoft client is one of those things often people think they just are. But there's not but when you look at the policies and the controls that are left they require you to do something doesn't necessarily mean you have to buy a new platform or put new security policies in place or whatever else. It means you have to document what's in scope and what's out of scope. So we require this information legitimately. So this is what will happen when somebody requests that information. So in the event of something happening you have documentation and a policy and procedure to present back to say we don't have technology in place because we didn't have anything but we have a policy and procedure that determines that us as a business, this is how we use that data. And that's the key policies and procedures of how you handle something is really what's needed. That's the key thing right now. By all means go and buy all the technology to do whatever you want but if you don't have a policy procedure wrapped around that in the event of something happening the technology is not going to help you.

Virgil: [00:11:05] Yeah and I think you bring up a good point because one of the things I see especially when you look at this from a business side is really the fact that so many organizations use third party providers, third party tools, third party applications systems like 365 and that kind of stuff to provide them some type of something for their business. You know you look at the traditional marketing world and you look at the Marketo's of the world and all these marketing automation systems you know you look at more of content aggregation systems you look at maybe I'm running my server up inside an azure you know V.M. instance or something like that. You have all these different pieces that kind of go through there and you look at it and say well it's not only about where your data is it it's also who has access to it. I mean because let's be honest there is a truth in that. You know if you have something Azure technically anybody in azure or anybody who works for the azure team could if they wanted to gain some level of access to that. But that's kind of the fact. I mean if you go with a Marketo and you need support for Marketo they don't give you support by saying well we can't see any of your stuff we can't work with the system. It's just sitting there. They can actually you know to a certain extent gain access. So when you do their terms of service you're giving them permission basically to say hey we trust you. But GDPR is actually taking that up another level when we start working with these third party systems. We actually have to manage them as a data partner and actually make sure that whatever compliance we have they need to be following as well or doing better.

Liam: [00:12:38] Yeah that's right. And so and that's where it comes into the controller and the processor idea which is per GDPR that Microsoft are the controller because they store the information but so are you. But then Microsoft are also the processor. And so especially when you have subcontractor's kind of other vendors in that space to you kind of have to make sure that you guys have to have your bit. We have to have our bit and then you as the owner of the content need to know exactly what that other part partner that other vendor is doing with the data. Because when I request that and say, where's my data gone you need to be able to prove to me and show me where that went and how that data was used. So you know the whole idea of you know if somebody buys a mailing list of email addresses and sells it on and sells it on like this will hopefully mitigate some of that because there's an audit able trail and there should be and audit able trail of what took place. So I did this I gave my consent to give that to Virgil, Virgil then passed it on to whatever. And this is what happened. As long as we have that trail and the audit to go with it and you can prove that this is what happened then you'll be fine. But it's when you can't which is right now like now we have no idea like I have no idea what stuff's been used what's not. We have no idea. So that's one of the key things to focus on GDPR is that, making sure you understand how that data moves around and really how it integrates in other applications and systems that you might utilize too.

Virgil: [00:14:04] Yeah and I think one of the things that a lot of people have to consider from that side is not only about knowing the path but why would you maybe be called up because of the compliance in the first place. And I think you kind of brought it up you said about one of the big boys and I realize you didn't want to say any names but to clarify for everybody listening you know we're talking about the Microsofts, the Googles, the Facebooks, the snap chats all these ones that are massive content aggregators and have tons of information about us and that's really what we're talking about. But from that side you kind of look at it. Why is somebody, an EU citizen going to go to their country GDPR office and file a request for that information or go to you and file it and then file a complaint on that. It's probably not because I love you and think you're awesome. It's going to be because I have some kind of issue. And I think Facebook I'm unbelievably curious to see what happens in May with Facebook.

Liam: [00:15:03] They may be the first one.

Virgil: [00:15:04] Maybe the first one yeah.

Liam: [00:15:06] Just May I don't know for sure. 

Virgil: [00:15:07] We've had this big thing. But even from a company standpoint if you're company that has a public image and you're a company that had this customer that's disgruntled or anything like that. You really do have this opportunity where somebody is going to say hey I want to see all my data and what are you going to do from that. So and you look at the nature of our world today and frankly you know we use technology to get back at other people on a very regular basis. And so one of the things I think's going to also be interesting about the GDPR, is going to be how many challenges it gets right up front as well because people are using it to try and damage the reputation of somebody else. The other thing that I think is very interesting from that and I'd be kind of curious of your opinion on this is I feel like the one thing the GDPR does is it does a lot of protections but it is also taking away anybody's personal responsibility is basically say Do what you want with your own data. Everybody else has to worry about it once you give it to them.

Liam: [00:16:04] Yeah I mean it kind of does do that. I mean it's kind of I suppose if you flip it the other way around. The purpose of the GDPR is for the protection of privacy of the individual. So it's you it's you and me it's my protection. And that's based on the risk that's associated to that information. If it was to be leaked or used in some other way that's what it comes down to. And it's very specific language around risk especially if it's children for example. They have very specific language around content that's children's and the risk that's associated to that. And so when it comes to that it is really about us. It's not meant to be nice and pleasant to the organizations that have to store that information because in the past as we know I mean just based on the news right now you can see that the privacy of the individual has always been left as the last thing. That by the very nature of you wanting to use a service it's well we've got access to everything now and whether you like it or not. That's what happens. And so you know that from the European Union and if we take some specific countries in there so take Germany for example their policies and procedures and rulings are very very strict. And so there had to be a change because no longer do people in Germany just work with people in Germany they work with countries all over the place. And so now it becomes much more complicated to say well if I am storing that information then you know you have to make sure it's done. But there is still there's still wiggle room in the GDPR. So for example I used a real world example the other day on the Webinar that I gave with Fits and we talked about GDPR and I said think of the logic here. You apply for a credit card. So you call up the bank and you say I would like a credit card and they say yes and they say we need to do a credit check on you. And you say no. Where does that leave you? Well you can't get a credit card now. And then you will but because you declined your consent and you're like, well no that's that's really silly because I wanted the credit card so that consent is no longer yours because under what's called legitimate interest in GDPR I can overrule that as the bank and say well in legitimate interest of our business and for what you wanted. I don't need your consent to do something with that data which is handed off to the next place to Experion or whatever else they get a credit check and then make a decision because it's legitimate interest of you and me as the organization as the end user. So there's still wiggle room in there to be able to not necessarily circumvent it but to make sure that somebody isn't just being you know a bit of a turd really and saying no you can't do anything. I mean think of the logic. I want to I want to be forgotten but I still want access fundamentally flawed in that logic. So there are still provisions in there for you as a company, as an organization, as a global entity to have some control over what happens. You just need to provide a mechanism to say this is what's going to happen.

Virgil: [00:19:00] Yeah I just did a report for one of my educational clients and part of that was about like a contact form so you have a contact form. Somebody fills out that contact form. The purpose for that is so you can contact me not so that you can market to me not so that you can do other stuff. But one of the things they were concerned about well what happens if that contact turns into a prospective student who actually starts filling out an application and all that kind of stuff. That's kind of when that legitimate business reason comes into play. And as I interpret it they are no longer really required by the GDPR to be as responsible per se. But the other thing I think that brought up to that was one of the things is you know this is an educational institution that's funded by the U.S. government or by a state government in that particular thing. But it's a U.S. based government entity being held to task by another government entity in another country or in the entire European Union. And I think that to me is going to be one of the more interesting scenarios because I actually did a lot of research and I tried to find one instance about where had ever sued a U.S. based government entity besides maybe some of the things that the federal government that just doesn't happen. And so where I kind of went to that client as I said OK the chances that anybody's ever going to come after you is probably nil to none. The chances that the GDPR could actually enforce anything against you. That could just be in my mind sheer entertainment to watch, and say we're going to hold you to our stuff over here accountable because we have a kid from the Netherlands that decided to apply to school at your college. But at the same time I said take it as a good practice. If you want to show yourself as being a responsible member of society. This is things that you can do is to actually help people understand your data. But overall from that side it is to me I feel like where you're hearing a lot of it in the U.S. especially is it's this really significant change that maybe doesn't have a lot of impact on us but there's a lot of organizations that want to make money off it therefore they send you these e-mails and they have all these webinars where it's like if you don't get that done you are doomed. And I get a lot of clients that come and say are we doomed and I say well you actually sell only to the state of Minnesota. So no and that but if you happen to start selling over there you're going to have to comply with those. But I also have clients that have headquarters near me that have offices all around the world and that's very different. And I think that's going to be one of the bigger things to see and one of the more interesting things is when frankly some country based organization actually comes after somebody in another country and to see how that plays because the U.S. obviously doesn't have a lot of data privacy rules but we do have data privacy rules.

Liam: [00:21:49] I mean you have your own.

Virgil: [00:21:49] We have our own, so it's going to be interesting to see how that all goes from there. But I think you know kind of circling back to what you can do about it. We kind of talked about where you start but once you kind of understand that path where do you go from there. So now I understand where all this data is, and now I need to set up something where somebody wants to be forgotten and I need to forget them or somebody wants all their data and that. Again you got your scenario of 27 systems you know how do you even think about that without needing to hire a team of developers that works for the next six months to do that kind of stuff. Have you kind of found things that you can help that you've been able to help your clients or kind of say start thinking of it like this and how to do something about it.

Liam: [00:22:33] Yeah I mean the key here is not necessarily a technology thing it's more based around a business process. So it's understanding a business process. It's the integration of systems and applications together and knowing and saying well actually if we have these 27 systems like which of these are integrated together and then what can we be notified of when something happens and then those ones that can be integrated together then those are the ones that are governed in those manual steps that you write in those associated documents. I mean I use the example of the Microsoft compliance manager where that has that builtin but it doesn't do anything for you. It just lets you store the documentation and the notes that you did to put together. And so that's your first step. First step is that work out the process. If somebody says to you I want to be forgotten and you have to get rid of me. Then you have to do two things. You have to determine whether that's in scope for GDPR first. So is this in scope, yes or no? And if it is in scope how do you provide that mechanism. And can you truly provide the right to be forgotten. So give you another kind of example I come to you and say I want to be forgotten because I realized that I've been looking at stuff that I should have, maybe I've been dealing stuff like using electronic services or whatever else provided by a company I want them to get rid of it. They will say no because based on that legitimate interest and legal ramifications they then have the ability to say well we can't forget you because for legal reasons we need to store that information too. So there's still going to be instances where you are going to win that one. But what needs to happen is as an organization I need to provide a couple of things. The first one is I need to provide the ability for someone to ask and for me to provide a mechanism of what's happening with the data and where it is. And secondly you have to have to have to have to provide some mechanism of consent. And now one of the article groups in the European Commission that's running one of the articles came back and said even their legitimate interest can be used. It's best practice to offer some kind of consent even if it's like a contact us form and it says just in case you're aware we capture this information and if it turns into something else you give your consent to us using this information that would be sufficient along with a policy to meet the GDPR. So there's still some things there that you have to fundamentally do. You don't need teams of devs but if your applications don't provide consent that does need to happen. Something that you can provide as a mechanism and say I consent to you using my data. Don't rely on the consumer interest, it won't always stand up in court.

Virgil: [00:25:04] And don't forget that consent and policy also have to be written in a way that it's easy for people to understand though if you actually go read the law that says that it's virtually impossible to understand what they mean by that, which is highly entertaining. But I think one of the things and the reason I wanted to I mean besides that I wanted to do two episodes in a row right away about GDPR. Besides that GDPR is getting ready to launch. I think this is kind of going to be a litmus test for my audience because overall I'm targeting people probably more in the marketing space internal communications marketing and that kind of stuff. And a lot of those people are very focused on acquisition. Acquisition of people, acquisition of information being able to disseminate out that. And frankly when I think about it, you even look at the Facebook's they're going to probably be the biggest violators of all in that because they have these marketing automation system they've got it if this person responds with this send them these five marketing messages do all this kind of stuff there. So to me this is kind of a litmus test do they really take it seriously what they do for their job instead of just be like well how do I get more tweets or how do I get more followers and that kind of stuff. That stuff is very important, but overall this is starting there and I think even though the U.S. will probably be behind. I think we're going to catch up. I really do because I think there's going to be a trickle down effect from Facebook right here. You're going to see some things go through our federal government and our state governments that are going to start to lock down what they're doing with our data and that kind of stuff. I think it is the future because the reality is there's too much data out there and we unfortunately all give it away a lot of times freely. You don't even really think about what you're doing. My new son I probably will not have a Facebook account for him for a very very long time you know. Yeah but it's amazing how many people I do that do when you're basically now allowing a lot of people out there to track the life of your kid besides your friends and family. You don't really think of those kind of things. So I think that is going to be a very significant thing. So Liam I thank you very much for joining me. But if you were to leave everybody with kind of one piece of parting advice you know maybe we're not the largest organization maybe we're a smaller organization but we want to kind of get started somewhere in figuring out our data. Are there you know besides it sounds like Microsoft has some of the compliant stuff. Are there other things that you kind of recommend kind of from that starting standpoint to get going or resources out there that a person can find to kind of help them through this process.

Liam: [00:27:26] Yes I mean the UK has some pretty good information so there's a couple of government entities out there that have documentation basically checklists that kind of you can run through and you can look through the articles. So it's the ISC is the group. And you can go in and say I'm looking for like the data breach one for example and I want to know what that means. You can click on the article and then it will give you a checklist of things that you need to look for. So it's a really good resource. The UK is actually done a pretty good job because of a GDPR rulings override the existing data protection privacy rules that they have. And so they've done a great job of doing that. So if you want to look at something that's kind of the place where you would go I suppose it's like a parting thing. The most important thing would be spend some time identifying where your data is. You as much as that's a laborious task. That's the first thing to notice and then understand whether it's in scope or not. Is it truly truly PAI data from other people that you are utilizing. You know is there a risk because the key is if you look at the language it's about risk of that data or risk to that individual based on the data that you have from them. And so understanding that so take some time to understand what that means with risk to the individual of the data that you may hold and then work out a consent option. You're going to have to have it either way. Whether it's a form that you send to all your clients and say this is a new GDPR update. So Microsoft did it for example when you get a office 365 contract now for a cloud service, there's an amendment to the existing contract that has GDPR amendments to it. So if you are an organization that does contracts maybe it's time to add a GDPR amendment to that contract. So send that to the clients say here's our new GDPR updates. This is what we mean by it, this is what we mean by consent, this is what we mean by legitimate interest, and then get that to those clients or those end users that subscribe. So give it getting ahead of that because that's the first barrier. Did you ask for consent yes or no? And if you didn't it takes one person to flag it and you maybe the smallest company in the world. But if there's no way for you to prove that you have consent that might be something they might take on. But outside of that the last thing to check is whether you have to transfer data between countries and that's a bit of a problem. So there's rulings in the U.S. for moving data and there's rulings in each individual country. And when you look at GDPR it spans over the all of Europe and everywhere else. But some of those rulings override that, GDPR overrules somewhere else. And then in the U.S. and across to Europe we have what's called EU model clauses that allow the transfer of data. But understand that if you have to transfer data from one country to another. What effects does that have on your GDPR compliance. And then I suppose my final final final thing for you is just make sure you understand what GDPR is first like actually, actually just understand what it means to your organization because not everything in there is what you have to worry about. And I think like you said you see a webinar you read a blog post as you said the word doomed. Like you're not doomed, you just need to make provisions for that. Like just understand it and say oh this is what I actually have to do. That's all I need to do.

Virgil: [00:30:44] Well that's some great advice and sounds simple easy peasy just put it in place. But I'll make sure that we add the websites you mentioned into the show notes and I really appreciate you joining me to talk about GDPR. I think that this is some very significant especially when you start dealing with customers if you have customers which virtually every business and entity in the world has whether it's internal or external you have customers you have people that you need to worry about. And this is something significant it's going to be really entertaining. I'm thinking that six months from now I'd like to do a follow up episode, that kind of looks at GDPR six months later.

Liam: [00:31:16] What happened?

Virgil: [00:31:17] HAHA! What happened? Did our world change. Is Facebook no more. What really goes down with that. So thank you very much for joining me Liam and really appreciate you taking your time to talk about GDPR with us today.

Liam: [00:31:29] Thank you for having us.

Virgil: [00:31:34] So on today's stupid buzz I thought I'd talk a little bit about something that maybe isn't necessarily a cliche phrase that irks me but one that is I think very particular to this topic and then also one that is very overused and that and that's the concept of data mining and sometimes you hear this concept of big data and what that really means. Big Data is really large data sets and you know we had to have some type of really cool way of saying it so we said big data versus big data sets and that and data mining is really what we do with those big data sets or analyzing that and trying to discover some kinds of pattern. A lot of times this is how our marketing automation works and the way we do things is by using these big sets of data from our customers or from people that are in our target market or something along those lines that allow us to understand better how they think and what they are trying to do. Some good examples of this is you know when you use like an order system to understand buyers patterns or maybe inventory flow so if you can do some you know companies like Amazon are very good about understanding how to keep and just in time inventory because of how the patterns go along with the buyers and all this information. There are other aspects like you know understanding patterns in medicine around treatment protocols. What's worked what hasn't, over a really large set of data. Or from a marketing perspective obviously you know something like buying a list to market based on specific criteria. So you have all those you know list generation companies that do that in there. But there are some cautions We have to be around especially when we start talking about the world of GDPR. I don't think we could get a more appropriate example than what Facebook has been dealing with a recent scandal and how data mining can really be abused and if you've ever paid attention to how you can do their target ad generation or if you've done it yourself you know that you can just do so very much with that and it's almost crazy how you can really narrow that down. And you know the reality is you have companies out there that are somewhat abusing that and using some of those benefits to be able to suck in large amounts of data and you kind of have to look at that as you know the data is great but you also have to kind of think about that from your social responsibility side. So that's something that you individually as a marketing professional or as a developer or as a company need to kind of determine for yourself. But overall you always want to think about that. And in the world of GDPR in particular if you're collecting data unnecessary obviously in some of the discussions that I've had before this we've talked about consents and what that means and actually pulling in data or collecting data that you don't need so if you're collecting things from like a content standpoint and you're asking for email phone number and you know some other piece of information. Do you really need all those pieces of information to reach out to them? So you want to make sure that you're doing that and then from a mining standpoint that you're not using that data to try and mine your own pocketbook but instead you're using it for the purposes that you used in that. And so the big thing is if you do this your own pocketbook might just get mined by the European Union itself. So thank you again for joining me on this great podcast. I hope you enjoyed the topic. We're going to start moving on to some other topics but may come back and revisit GDPR at some point down the road after it's kind of been implemented and kind of look at what's happened from there. If you haven't already we encourage you to subscribe through such vendors as iTunes, Stitcher, and Soundcloud or you can always visit our episodes on our website at www.discussingstupid.com. if you're interested in interacting with me or sending some comments about the podcast I always want to hear from people if you have a topic idea or maybe you just have some comments or want to have a discussion around something you can reach out to me really two different ways. The first is my email address at Me@discussingstupid.com or you can also send me a tweet at @discussStupid on which is my Twitter handle so you're just not discussing stupid, it's @DiscussStupid. So until our next episode. Feel free to discuss stupid on your own.