E135 - Ken Chikwanha, Executive Head: Data Governance, Data Privacy & Data Protection, Standard Bank Group, Johannesburg, South Africa

49:25

SUMMARY KEYWORDS

data, organization, business, working, privacy, people, data protection, understand, information, data governance, regulator, tool, legislation, happening, regulation, customers, terms, ai, law, outcome

SPEAKERS

Ken Chikwanha, Debbie Reynolds

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a very special guest on the show today; Ken Chikwanha. He is the Executive Head of Data Governance, Data Privacy, and Data Protection for Standard Bank Group in Johannesburg, South Africa.

Ken Chikwanha  00:45

Hello Debbie, how are you doing?

Debbie Reynolds  00:48

I'm great. I'm great. I will say that before we started recording that you didn't know how excited I am to have you on the show. We have a funny backstory. So I had done a podcast with Mark Smolin, who's the head of legal at DHL Supply Chain. And you and I ended up on a call, I think, like the next day or something in Australia. And so I was just blown away. I was like, oh, my God, everybody listens to the podcast. And I told Mark, I say, hey, you have people in Australia talking about your podcast, and he was so excited about that. But that was a great show. Yeah. And you and I had a great conversation one of the times where I feel like we couldn't record it what we said during that call, so it was great to be able to have you here.

Ken Chikwanha  01:40

We get a chance to do it today. Yeah,

Debbie Reynolds  01:43

Exactly. Well, first of all, tell me about your journey into Data Privacy and data protection, why that's an interest for you, and what you do at Standard Bank Group.

Ken Chikwanha  01:55

Thanks, Debbie. And again, thanks for having me. This is one of the highlights of the year. But this is one of the things that actually got me into the role I'm actually playing now. So yeah, thanks for all the work you're doing. And yeah, I thank all the great guests that you actually have on the show as well. So it's an absolute pleasure. So just in terms of my background, I guess I took more or less the scenic route. So I left college and I started working with what was then called the Big Four. I don't know what it is now, but it was Big Four doing systems implementations. And that turned into controls assurance work when I moved across to  Price Waterhouse Coopers. And, you know, I've just been privileged to be working around the world, just getting to see the world, you know, just getting to get some of that international experience, just to add to my portfolio as well. So I did work with a few of the corporates like I said, and I did some freelancing as well, where I was doing some consulting, primarily in the information management space. And, you know, back then, the focus was more on the technology side of it, as opposed to the actual data, which is what we are focusing on now. And I did a stint in information security as well when I did some work with one of the banks, and a role opened up in our data management division. And back then, we were looking for someone to lead data governance. And, you know, I had no idea what that was back then. It was all quite new; there was very little international precedent. And, you know, outside of academia, it was basically just, you have to figure your way out. And so, I took that up, and, you know, things just moved on. And you know, with the coming of new legislation locally, especially around Data Privacy, a role opened up, and I guess my name was thrown into the hat, and here we are. I had no idea about what the Data Privacy officers needed to do, a data protection officer, depending on which part of the world you're in. And I guess just through research, listening to shows like yours, honestly, that that's true. I also listened to; there's the one that you guys also did with Jamal in the UK. Privacy Pros. Yeah, that was one of my favorite shows.

Debbie Reynolds  04:33

Yeah, Jamal is awesome.

Ken Chikwanha  04:35

Yeah, he's a great guy. And, you know, just networking. We ended up putting things together, and here I am. So just leading the Data Privacy or data protection work for Standard Bank.

Debbie Reynolds  04:49

Wow, that's amazing. Tell me a bit about your transition. You touched on it a bit about how you found your transition from IT security governance and to privacy because I think there are a lot of people who are not, for example, maybe they don't have a legal background or anything, and they're looking to move into this area. So tell me a little bit about the skills that you had that you were able to translate over into this new role.

Ken Chikwanha  05:23

Great. So I did quite a few different bits of training, just a few certifications just along the way. But the base set of skills was basically information risk management. So like I said, that ended up being more of a data governance type of focus. So you know, my skill set is information with data governance, and now it's more in the privacy space because I guess the lesson out of this is, I didn't need to be a lawyer, I didn't need to have a legal mind to actually take up this role, the specialist within the organization that actually focused on the interpretation of legislation. And so my understanding of the business, as well as my background with data governance, as well as information security, because as you can see from the title, it's actually a three-legged portfolio, which actually is part fortuitous, but it actually makes total sense. Because Data Privacy is the outcome that we actually end up chasing, that's the customer-facing, that's the external-facing outcome. But in terms of the actual pillars that underpin that data governance, you need to know what data you have; you need to know where it is, and you need to know who can access it. You know, so things like logical access management, all those things that actually come together to form your role of data governance, you know, part of it, as long as you need to know where the data is coming from, you know, where you're sourcing your data from, you also need to know how you're using it within the organization, which spills over into the privacy space now. And then, on the other side, just in terms of the data protection side, I think my stint in information security actually put me in good stead. Because once you actually understand some of the technical measures, or the security safeguards, as it's called, in most pieces of legislation, you actually get a full appreciation of how you actually achieve that outcome of actually protecting people's data, which ends up giving you either a good or bad privacy rep. So that's how everything's actually just beautifully come together. And it makes perfect sense in my head now because I have that background across both legs.

Debbie Reynolds  07:42

You're right; it does make perfect sense. And I remember when privacy or data protection, especially in the US, started to get more attention. I had told a lot of my friends who are in information governance to hitch your wagon on the privacy stuff. I think one reason why those two things go together is because if you do it right, you're doing it at a foundational level, and you're doing it early, as opposed to trying to do it in a reactionary manner. What are your thoughts?

Ken Chikwanha  08:14

Absolutely, I totally agree. I totally agree because those are the foundations of sound Data Privacy practices. You can't protect it if you actually don't know where it is, you know, because leaders within the organization are sitting with your third parties or your vendors in actually having a full view of what data you have, and where exactly it is, you know, what kind of data it is, as well, you know, that actually just puts you in good stead because now you actually understand that gives context, the regulation that comes in, because regulations are talking about protecting the man on the street. And one of the most prized assets, the personally identifiable information. And, you know, I guess having that context actually just makes it all makes sense.

Debbie Reynolds  09:05

I want to talk to you a little bit about data mapping. I think when I hear people say, talk about data mapping; sometimes it's like nails on a chalkboard for me.

Ken Chikwanha  09:15

Yeah. That's a scourge of everyone in business.

Debbie Reynolds  09:18

Yeah, well, it was right it's a scourge to everyone in business, but a lot of people don't do it correctly, and they look at data mapping from a narrow point of view. So they're like, let's do data mapping for governance. Let's do one for privacy, let's do one for security, where it's just one data map, and then you have to have those considerations all the way through, and then that way, you're not wasting time churning through all these little fiefdom efforts. What are your thoughts about that?

Ken Chikwanha  09:52

I totally agree, and equally, data mapping these data flows. So for me, it actually is all rooted In business processes, like, what does the business actually want to achieve? And because data flows through business processes, it doesn't flow through some of those departmental pockets that we normally like to talk about. So if you have the contents of the business process, different business processes, you actually understand where's the data coming from? Which are the touchpoints within the organization? Who's doing what to that data in the organization? How well protected is it at every single stage, all the way from processing and storage to destruction, retention, and destruction, you know, right across the entire lifecycle, you need to have a proper lineage across the entire business process. So I think it's painful until people actually understand the value of why we're doing it. It's not just an admin tool that we just inflicting upon people; it's actually, the more you understand how data is actually put into your business versus the better you can actually handle it, the better control you have over who's doing what within the organization.

Debbie Reynolds  11:08

Also, one thing that you pointed out and you're obviously very good at this, and I'd love you to chat more about this. And this is what I've observed with people who are very successful in a business role is that you bring your skills to the business, but you understand the business. So if you're someone who's in a business that doesn't understand the business that you're in, you're not going to be successful because you don't understand how the business is operating, what the business folks are interested in, right? It's privacy and governance. It's just a slice of what happens in the business. So tell me a little bit about that.

Ken Chikwanha  11:48

Yeah, so I agree again. So that's something that's actually put me in good stead. Again, like I said, having worked with the actual business and understanding the actual business processes, you actually understand what outcomes they're chasing. Because what we do isn't, it can't be done in isolation; it's not something you just come in and layer on top. And you know, I hope to achieve the results. You need to understand what business is doing and why they're doing it. So you need to actually just hitch your wagon to the actual business strategy of the organization. That way, you can actually support them much better because businesses don't need to understand all the sections of a piece of legislation. So you need to be able to translate that legislation into workable business practices. So if your department is a marketing department, you need to understand where's this data coming from. You sourced it from events; you source it from customers, customers who vocally consented to you actually using their data for some of these purposes. And understanding that full business context actually helps you to to speak their language and actually get more buy-in as you go along. Because otherwise, it's just paying for everyone.

Debbie Reynolds  13:08

One thing that you're very good at, you talk to me a bit about, is privacy risk management. And I want to talk to you a little bit about, I guess, the word risk. When I hear the word risk, I think I've seen legislation that brings up that word. To me, that means showing your work over time. And you can't know your risk unless you have data points over time. What are your thoughts?

Ken Chikwanha  13:37

I agree, I agree. And, you know, I guess with risk management, I guess the technical definition is anything that stops you from achieving your business objectives, right? So you need to understand the business context. And like I keep saying, you understand the proper business context, then you actually understand at every point, what are the things that could stop us from actually meeting our business outcomes? And, you know, Data Privacy risk? You know, for me, it's not just about collecting stats. So the data points are some of the stats that we collect, you know, whether it's the number of privacy or protect data protection, impact assessments you perform, the number of breaches, you know, you need to actually start digging a little deeper than that because we have to take learnings from all this information that we're gathering, all the data points that you speak about, and then some of the insights that actually end up ensuring that the relevant monitoring of those risks ends up taking place. And you know, that business processes are over time, they eventually matured or evolve to ensure that either consumers aren't negatively impacted or that the organization isn't exposed from a legal risk perspective going forward. So yeah, that's my take on Data Privacy risk management; it's something that's integral to an outcome. That's why we do what we're doing; we try to manage the legal risk pool for the organization; it just happens to be in the Data Privacy context.

Debbie Reynolds  15:14

Excellent. So I want you to give us some insight into what's happening in Africa around Data Privacy and data protection regulation. A lot of times, what you hear on these shows is mostly talking about the US or Europe; right now, China has kind of jumped in as well. But there's a lot happening in Africa and data protection; I've been very impressed by the POPIA law. And so I would love for you to give the listeners some indication about what's happening or what's brewing in Africa; we need to know.

Ken Chikwanha  15:53

Yeah, so I think a lot of the commercial centers across across Africa have actually started seeing the relevance of data protection legislation, some of them are still at a very rudimentary stage, and some of them are still just talking about it. But a lot of countries have started enacting local Data Privacy legislation. And, you know, I'll take South Africa, for example, because that's my current context, you know, the POPIA act that you speak about, it's a very comprehensive piece of legislation. And it's very comparable to the GDPR in the sense that it covers a lot of those minimum processing conditions for personal information. It goes a step further in the sense that we don't limit data subjects to being just individuals; corporations are actually data subjects as well. So we actually look to actually protect the personal information of these corporations. So PII of these corporations would be some of the registration numbers, you know, some of the information that's unique to that organization that actually becomes identifiable with that organization. So, you know, the regulator, the local regulator, has done a lot of work. And, you know, we've also just built a great relationship with them because I like the approach that they've taken. They don't understand business the way we understand business. So they are open to that; they are the law experts, you know, they drive the constitutional outcomes that need to filter into Data Privacy laws. So working with them, they've been very open to actually just understanding what's our context. What are the things that we are grappling with, as well, just in terms of actually interpreting the legislation or actually implementing it? To the extent that, you know, one of the associate associations of the banks locally, which is like an industry body, actually came up with a code of conduct, which basically takes the law and says, this is how we understand it. But this is how we actually get implemented. So we're not overriding the law; this is how we can practically implement it because some of the things that may be interpreted in terms of some of the principle-driven legislation, they weren't open to interpretation, you know, so, as the banking industry, you know, people just came together and said, you know, this is how we actually see it playing out. And the regulators have proved that code of conduct, so it's actually in effect now. And that's what we're actually working with, as well. So there's a lot of work going across the continent. And I think people have realized that, because they did move across borders, you know, with adequacy, rulings across, you know, from different countries or different jurisdictions, you need to have something to show for how well you're actually going to uphold those regulatory obligations, as data is passed on to your territory. So yes, there's a big wake-up call, and a lot of countries actually coming on board with that. So it makes it easier, especially working in a multinational corporation like this, to actually just understand the law and actually just make sure that whenever we do translate some of those jurisdictions, it's adequately protected. And, you know, the obligations can also be upheld in those territories.

Debbie Reynolds  19:36

How do you keep up as someone who you know you're like an International Man of Mystery? You're working in a multinational organization. So you need to know what's happening in all these different regions. How do you stay abreast of what's happening?

Ken Chikwanha  19:55

So the same way I got introduced, the same way I built my confidence on the same I just built my understanding of the industry is I listen to a lot of podcasts. And, you know, there's different people with different opinions. There's a lot of international guests that you actually get on these on these shows, you know like it was, and it's just hearing their stories, it actually just makes me feel like, you know what, I'm not alone. We're not doing this alone. This is actually an international situation. And, you know, we can all learn from each other. I think that's the best part of it. I do a lot of research. I like writing articles as well. So I think writing articles actually just forces you to actually research because you can't just put out stuff that's not founded in fact or actually current. So that's how I stay abreast. And yeah, I enjoy reading, like, every single day is just, I get myself that I need to learn something brand new. And that's it, whatever it is, whether it's reading about a new law in another land or just, you know, just following some of these ChatGPT developments.

Debbie Reynolds  21:02

Yeah. Oh, my goodness.

Ken Chikwanha  21:04

It's fun and games, it's fun. And games. Yeah, I saw a paper that you put out as well, just talking about some of the things that you need to look out for.

Debbie Reynolds  21:13

Thank you. I tell people if you don't like reading, like, data protection is not the job for you. Because you've got to read a lot, it's a lot of reading constantly, constantly, the laws are changing, the technology is coming rapidly. So you have to be plugged into what's happening. Give me a walkthrough; tell me what is the day in the life of someone who's doing a three-pronged job like data governance, privacy, and protection.

Ken Chikwanha  21:42

So it's, look, you definitely have to have a strong and willing team. And they also have to be a bunch of learners because it can't just be one person who's doing all the reading doing all the researching. So, you know, you have to have a strong bunch of people who actually want to actually explore. And, you know, I like to think of it almost as a calling, you know, it's not just a job that you do, you know, you walk in, you walk out, a calling is something that you're passionate about. And you know, in order to actually stay abreast and to actually do the job, right, you need to be passionate about the industry. So building a great team, I think that's definitely a huge part of it, a cross-section of skills because there are different aspects of your role outcome that we're trying to achieve and Data Privacy, you know, good security people, good data governance related people, and then obviously, some legal minds, you need them to check a lot of the time because legislation is open to interpretation, you can't take chances with it. Even if you have a damn good lawyer, so you know, just working with a strong legal team as well, both within the team and within the broader organization, that's definitely a huge part of it. So you know, working with the senior leadership as well, because ultimately, the board is accountable. Like, when the organization shows up in the papers, shareholders look at the board; they don't look at everyone else underneath. So working with the board to help them to actually understand, you know, the risks that we face, you know, as an organization if we don't actually uphold some of those requirements. So working with the board and senior leadership, understanding the strategy. And just staying close to the business, because like we said, that is the context within which we operate. So working closely with the business, we have people embedded in different business units to actually make sure that you understand the business; you don't just come with your legal hat and slap it on the table; you understand their context and actually talk them through in the language. You know, why certain customer-facing processes, for example, need to include, we need to update the agreements that you know, whether it's consent or be relying on or whatever it is, so that all these things actually, all these changes are actually made to these customer-facing payments. You know, working with the procurement, vendor management people, I don't know what you guys put in there, but to make sure that what our third-party contract as well. They are adequately updated, and they actually protect the organization, that ultimately protects the customers whose data we were working with. And then ultimately just overseeing a lot of the regulatory or regulated type engagements. So I don't know what you guys pulled in there.

Debbie Reynolds  24:49

Yes, so regulators.

Ken Chikwanha  24:51

DPA. Yeah, yeah. Same thing. So just yeah, obviously in those engagements because it's good to have one touch point with the organization. So we are kind of the face of the organization when it comes to old engagements with the regulators, so when they issue a, whether it's a compliance assessment notice or whatever it is, that we're the ones, we actually end up integrating the business internally to make sure that we gather all the information that's required. And then, you know, just play back to the regulators and action status, because depending on what's going on with the organization, but in a nutshell, that's it. But I think one of the things that's normally underrated, as well as just a lot of what we're doing, is actually behavioral change management. Because we try to change behaviors in the organization. Legislation takes shape in the actual culture of the organization; that's, this is what people do on a daily basis. So if we don't change these behaviors, then we really don't stand a good chance of meeting those regulatory obligations. So we do a lot of change management as well. And there's a lot of awareness sessions that be held with business either targeted or just, you know, some of the townhall type meetings, to raise awareness, because I think the more this language becomes familiar to people in the business, you know, it becomes not even second nature, it actually becomes first nature, because then people actually understand, they read about in the papers now understand how it actually applies their business as well. So yeah, that's the long and short of it.

Debbie Reynolds  26:27

A typical day where I get some executive advice from you. And this comes up a lot as people who take on these roles within organizations, it's like you're a smart person, you've done all your research, right, you're showing your value to the business, but you decide that in order for you to do this, you may need to go out and purchase a tool, or have a business, spend some type of money or invest in what you're doing. So give me some pointers on how people can make a case for being able to get the funding for maybe a tool or maybe some other resources and things like that.

Ken Chikwanha  27:09

So it's quite a topical one, Debbie. So I think for me, there's actually two different approaches. So you could either come with the compliance stick, and, you know, beat everyone into submission, scare people, and, you know, tell them, we don't do this, we don't invest in this. The approach I prefer is obviously to assess the real need for that tool. Because not all tools work for all organizations. And depending on the organizational context, depending on what you already have in place, I think one thing that actually helps to get buy-in is to do a proof of almost like a proof of concept or proof of value. So demonstrate some value upfront, you know, so whether you're doing Power BI dashboards or using SharePoint sites, you know, whatever it is, come up with a proof of value that shows this is what we're trying to do. But in order to get to the next level, you know, if you want this kind of management information, if we want to cope with the kinds of volumes that we're going to be seeing, you know, once people actually wake up and actually start exercising the rights, we need to actually just invest in the proper technology. So the approach I prefer is actually just to demonstrate some value first, demonstrate the concept, and demonstrate some value. And then once you get them on board, then it's easy to do that, you know, the compliance stick? Look, ultimately, if you're investing company money, you're going to need to justify that. So if you can't prove that prudent investment, then yeah, I guess you're going to be in a bit of a compromised situation as well.

Debbie Reynolds  28:55

Also, I think one thing that companies need to do, and I want your thoughts on this, you want to see what tools the companies have already that you can leverage or see what those limitations are. Because a lot of times, they say, well, why should we buy another tool? Because we have something that does something like this? So what are your thoughts on that?

Ken Chikwanha  29:15

I agree, I agree. Look, I'm the we come from different economies across across the world. And I know there's certain economic pressures, which dictate that we need to be sensible, but put the money that we actually spend in the organization. So if you've invested in, for argument's sake, Microsoft Enterprise suite, you know, there's things in there that you can pick on that can actually help you to either perform the tasks within workflows that you need to develop, you know, whether it's dashboards, you need to develop these things that you can actually leverage in the organization already. So that, for me, is the more sensible approach. But then again, like I say, depending on what you already have and depending on where you want to be, some of these tools actually come ready-made. And that can actually just help you to just hit the ground running. It also depends. Are you digitally native? Or do you actually have a lot of legacy technology to actually contend with? And that will also determine which party is undertaking because not all tools can readily interface with some of the legacy technologies that we find in some of the more established organizations.

Debbie Reynolds  30:40

One of the things I want to chat with you about I want your thoughts. And this is something that I'm seeing in regulations around Data Privacy and data protection. So what these regulations are doing, or what is bringing into a business process that wasn't there before, is focused on the end of life of data. So a lot of organizations have accumulated data over the years; they've not ever deleted anything, right? So now these regulations are saying, you can't keep personally identifiable information of someone forever, you'd have to have a plan, even though they may not say delete it every three years or something, you have to have a strategy and a plan for when you're done with that data so that you don't keep it and then also, we know that when data has a low business value, it has a high privacy risk to the organization. So what are your thoughts?

Ken Chikwanha  31:41

Yeah, I agree. I agree. So I think historic context, the historic attitude of people was, let's just keep as much data as we can. You know, we don't need to delete it; I think we might use it one day, you never know, just in case, just in case, just in case. And, you know, I think that works to a point. But now to your point. Keeping data beyond its lifespan or beyond the purpose for which he actually collected it for is a risk from a privacy perspective because you have to demonstrate the purpose for which you collected the data. So if that purpose has morphed over the years, and you can't demonstrate it anymore, then guess what, you know, that's a big fine coming your way. So if you can't justify it, by actually demonstrating why we are actually still keeping this data, you are going to be in line to some kind of sanction. And I guess the other side as well is just why would you want to just increase your footprint to the point that, you know, you end up incurring all sorts of costs, to actually protect that data. It doesn't make that much sense. So you need to have a deliberate strategy of actually collecting it for a specific purpose, processing it, storing it, and then ultimately retiring it. Whether it's archiving it, or de-identifying it, or whatever it is, and just taking it offline or destroying it outright, so that you actually stay in line with the load. But you also just don't give yourselves unnecessary headaches in terms of trying to protect data that you haven't touched for the past 20 years. But that actually just exposes you from a regulatory and from an information protection point of view,

Debbie Reynolds  33:37

I think, to some companies, because they don't have any insight into what the data is, they're afraid that they're going to delete something they shouldn't, or something like that. But it's like, yeah, we haven't looked at that 20 years, you're like, maybe get rid of it.

Ken Chikwanha  33:54

Chances are exactly right. Exactly. Exactly. And I think just having a deliberate strategy around that. So you know, whether it's you your data retention, data retention schedules, which tell you that, but this type of data, we get to keep it for five years, or we get to keep it for 10 years, either for legal reasons or for compliance reasons. And actually, just having that liberty done throughout the different business units, it actually just puts you in a much better place, it actually makes it more defendable as well, because if you've deleted something that ends up being called on as being subpoenaed, so call him and say, you can just argue that, you know, this exceeded our retention period. And in line with law a and this law, we ended up deleting it. That's more defendable than trying to defend why are you still holding on to data that you don't even do business with the customers anymore, but you're still holding on to their data.

Debbie Reynolds  34:55

Right? Yeah, because I think T-Mobile had a data breach, and that's exactly what happened with where they have, really, they have a list of people who had applied for phones, and they have their identifying information. But it's like, a lot of those people had never become customers, but you still have their data, right? So that's why they ended up having a breach; it's like, oh, my God, all you had to do is delete that; you need to delete it, you know?

Ken Chikwanha  35:22

That's it. That's it. That's it. And the thing is, you know, business context changes as well, someone else is going to come into the organization, and they see this data, that it's in the database, you know, they're like, you know, let's send marketing flyers to all these people. You know, you start getting causing all sorts of friction with customers and consumers. And, again, the regulator will come knocking if you end up just, you know, just violating people's rights. It's avoidable.

Debbie Reynolds  35:50

It absolutely is avoidable. But in a way, I think people have a personal attachment. They have emotional feelings about it, right, that aren't logical. So you ask them, so why keep this and it's like, once they run out of like, logical reasons, they're like, far different, irrational. What are your thoughts?

Ken Chikwanha  36:12

I agree. I agree. It's just that just in case, just in case, just in case, yeah, we might want to touch these customers in the future. People come up with all sorts of reasons. I agree. But yeah.

Debbie Reynolds  36:27

Tell me a little bit about silos. So organizations, I feel like the way organizations have been created over the years, they were made almost like every little group does its own little thing. And then, magically, things come together. And that's how you do business. But when you're in Data Privacy and data protection governance, you have to be able to communicate with people across all parts of an organization. And I feel like that's a skill that isn't really taught. So it's like certain people really excel at learning that skill. But tell me about that part of working with different groups who probably don't even talk to one another, you know?

Ken Chikwanha  37:23

Yeah, look, I think silos are, they can be the downfall of a lot of business organizations, I think operationally, it doesn't make sense. If you're one organization, surely you need to be communicating, you need to be speaking, you should, there should be one business strategy that you're all aspiring towards, right? You can't, as much as you may have your own divisional aspirations. Ultimately, everything needs to come together for the greater good of the organization. And in I think, in our world, it actually ends up touching on the consumers in that. Our consumers don't see divisions in an organization; they see one organization. T Mobile, they see a Standard Bank, whatever it is, you know, they don't care about now, the marketing department said this, and then the Human Resources Department said that you know, for them, it's like, now, you have my data, I gave it to you, I trusted you. But now you're coming up with the story. So, you know, departments or divisions not working together, you actually end up causing more friction than is necessary with customers. But I think also with the regulatory community, you know, when a regulator comes knocking at the door, they don't know about investment banking, they don't know, they don't want to know about human resources centers, they don't want to know about all that this, they deal with one brand, you know, and unless you can actually ensure that these operations are actually operating seamlessly, you actually do end up jeopardizing the organization, and just, you know, messing around with customers as well.

Debbie Reynolds  39:04

We touched a bit on it, but I want to talk with you a little bit about AI and what's happening in the world. AI is something that people are trying to keep out of, you know, it's like a castle, where it's like someone's trying to charge the castle, you're trying to close the door, but you realize it's already in the castle. Well, how is AI and how AI things like Generative AI being built into maybe tools we use every day? How do you think that's going to impact Data Privacy, data protection, and governance in the future? All right now, but when I say the future, I meant, like, in a month or so.

Ken Chikwanha  39:49

Yeah, look, there's just so much going on in that world. And I think it's novel that certain communities keep trying to come up with frameworks and legislation to actually try and rein in; I do agree that, for the most part, the horses have already bolted. And they are prancing around heavily in the middle. So now, trying to bring it back in is going to be a bit of a challenge, you know, so if you take that ChatGPT, which we spoke about earlier, you know, this has been scraping data off the Internet, data that's been around for who knows how long. So anything I've ever posted on the Internet, I am certain it will actually become a part of that, you know, that data that model ends up using. So there’s the consent side in terms of I did not give anyone any permission to actually do that. However, my information is now part of a greater body of knowledge, that of data that a tool like ChatGPT ends up scraping and actually using to actually produce the content. And, you know, I think another risk as well is just around content creation. But you know, the risk around that is, people, are doing all sorts of stuff that they don't even understand. But they're using people's data; they start to introduce personal data in that. And, you know, they get surprised at the end of the day when the data is misappropriated, and it's up in the wrong hands. So it's there's an awareness thing, both from the user side, but I think just from a just control or regulatory standpoint, as well, there's definitely a part that, you know, regulations need to play to just try and keep it in check. Because it's so wide open right now that it's scary. And frankly, in different organizations. Yeah. You know, Amazon and Microsoft are backing ChatGPT. Look, I'm not going to make assumptions. But I assume that there's a reason that some of these global tech firms are actually doing that data that is at stake. And, you know, people will end up in all sorts of places that we haven't even imagined today. So yeah, it's an interesting time. It's a little unnerving as well; I'll admit that.

Debbie Reynolds  42:38

Yeah, right. Can't go back. Yeah, let's stop; let's stop for six months and see what happens. Like no, it's not going to work. Yeah, it's totally out. Or, also, I think, to me, something is happening with Generative AI that I saw happening, you know, many decades ago around personal computing. Because remember, you know, when computers were really expensive, a lot of people didn't have computers in their homes that they will have at work, for example. And then as computing got less expensive, you know, people have computers at home that were better than the ones they had at work, right? So people were like, well, why doesn't my work computer do what my home computer does? So in a way, now I see that parallel, almost an agenda to AI, well, you know, my own account, I can do whatever, all this stuff, but then I get to work. And then I have all these restrictions. So it's almost like it's really pressing against the business to really get up to speed on our agenda to the AI. And then we're like, you know, be cautious and do this. And people, they're just going crazy. So what are your thoughts about that?

Ken Chikwanha  43:57

I agree. I agree. Like a lot of organizations are coming up with policies, and, you know, just papers, just in terms of trying to manage the use of Generative AI tools within the organization. But to your point, if I can just go in and download ChatGPT on my mobile phone. You know, that's a vector that's just opened up. And I come back to the office the next day. And, you know, we're surprised by some of our customer data ends up in some of these models. So yeah, it's turning into the wild west.

Debbie Reynolds  44:35

Yeah, definitely, Wild West, definitely super rapid. I suspect that Generative AI capabilities will be in almost any enterprise tool you can think of before the end of the year.

Ken Chikwanha  44:55

Absolutely. I can't see that not being that way. Yeah, because that's the future. Like, if you think you can use those efficiencies for your own business purposes, then what are the chances you will end up adopting? Yeah, I think it's just, is it the control deduction? Or is it just, you know, we're just going to be just going to jump into the pool and see what happens?

Debbie Reynolds  45:18

Very interesting. Well, if it were the world, according to you, Ken, and we did everything you said, what would be your wish for privacy, data protection, or data governance anywhere in the world? Whether it be regulation, human behavior, technology, or innovation. What are your thoughts?

Ken Chikwanha  45:39

I like that you touch on human behavior because, for me, that's, you know, that's the crux of it. I'm all about the people, like the man on the street, who doesn't know any better, you know, so my thing, you know, in an era where we have, the normal attitude is I didn't read the privacy policy. That's the default attitude. For most people, I just really want people to be better prepared and more empowered data subjects. So that, you know, they can actually have, you know, what I like to call informed agency. So you have agency over your information, but you actually, it's actually important, you know, what you're doing, whenever you log on to the site for certain pieces of information, know what information you give me know why you're giving it and, you know, just be more aware of that. Because, you know, once the information is out there, we have Generative AI coming down, and it's going to take up all that information. So I think definitely on the people side, more empowered people more just raising awareness in the people. And then just on the other side is just in a more responsible, and I guess, more ethical and transparent with, you want to call them controllers, responsible parties, just to make sure that you know, the ethical use of information is actually a key performance indicator to people within these organizations. You know, because beyond that, you know, if it's left to people's discretion, they'll do whatever generates the most profit. Yeah, but unless they actually do it. Data subjects are always going to be at risk. So those are the two things I really want to change. Are you allowed to answer that question as well? You've been around for quite a while, you know, yeah, yeah. What's the one thing for you? I'm sure it's changed over the years.

Debbie Reynolds  47:39

Wow. Oh, my God, that's asking me my own question. Let's see. The thing I really want is, I would like to have, I think most countries, other countries have this. I want privacy to be a fundamental human right all over the world. So it becomes a fundamental human right that fills a lot of the gaps that occur in a lot of laws because instead of thinking about our consumer, you know, not every human is a consumer, right? But every human has data. So if we can agree on that, maybe at a global level, I think we can help harmonize a lot of regulations around the world.

Ken Chikwanha  48:25

I like it.

Debbie Reynolds  48:27

Yeah, definitely. Oh, thank you so much. This has been a Tour de Force episode. It's great executive advice for anyone who's wearing many hats like you do and also working in a multinational because, you know, we're all connected. So things that happen everywhere impact all of us. So I think having these conversations and knowing that we're all pretty much in the same boat, right? This is a different jurisdiction, which helps us all move forward. Well, thank you so much. I'm sure we'll be chatting in the future, but I'd love to be able to collaborate with you in the future. That'd be great.

Ken Chikwanha  49:08

I look forward to that. Thanks so much for having me on the show.

Debbie Reynolds  49:11

Thank you so much. All right.