E205 - Daniel Suciu, (un)Common Sense Advisory, Data Protection & Governance - Romania

40:28

SUMMARY KEYWORDS

data protection, data, companies, work, people, talking, years, law, understand, organization, business, good, privacy, processes, started, checklists, compliant, lawyer, questionnaires, part

SPEAKERS

Debbie Reynolds, Daniel Suciu

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a very special guest on the show all the way from Bucharest, Romania, Daniel Suciu. He is a data protection expert and the head of Uncommon Sense Advisory; welcome.

Daniel Suciu  00:46

Thank you, Debbie, and I'm very glad to finally meet you after many years of following your work. I'm really honored to be able to speak with you, and I've been waiting for this. Really, you are a role model for many.

Debbie Reynolds  01:06

Oh, that's so sweet. Well, I'm super excited to have you on the show. You and I have known each other for many years, virtually, on LinkedIn. I always love your commentary, because I think the things that you say are rooted in so much reality and practicality and how people work in data spaces. So I think, fortunately, some people who talk about data protection, they talk about it from a theory standpoint, but I feel as though when I'm talking with you, it's definitely coming from a practical, pragmatic point of view, from the lived experience. So I really appreciate that.

Daniel Suciu  01:47

Yeah, thank you. In fact, data protection itself and in Europe, we don't call it privacy. We call it data protection mostly, but it's saying I'm a junior. I have seven years. However, my background, working in ITN as a business analyst and working in internal audit, that is, management and others, helped me a lot in this area because a lot of knowledge is very useful. That was the reason. When I joined data protection, I noticed that I have some knowledge that could be useful, aside from legal. So the only thing I had to do was a few thousand dollars to understand the laws, by the way, and not only the laws around the globe and all the recommendations from different authorities. It was a challenge for me to read about court cases so as to understand the legal part also a little better, not to become an expert from a legal perspective, but to understand that.

Debbie Reynolds  03:03

I love your path and your journey because I think your path and journey is very similar to mine, where I was helping companies with digital transformation and other types of projects, and back then, data protection, the US especially, really wasn't like a quote, unquote job you were working. You needed to know what you were doing and things like that. So it's actually interesting to see that it's turning into a career path for people. But I want your point of view about how you're finding being in data protection, especially as you say you studied the law and the legal part, but you're not a lawyer. So people like me and you who are not lawyers, what do you think that path is like? Or how have you found that to be in your work?

Daniel Suciu  03:57

Very challenging, and I can say 99% of it's only for people who are self-motivated because, really, it's not a well-paid job. I have worked almost my entire professional life in it, even the basic jobs in it are better paid, usually and even compared with a depot of a large organization of big banks or billions, so it's not a well-paid job, maybe could be as consultancy, yes, in some cases, but as a depot, unfortunately, It's not for everybody or not doing only this. The good part is that it is connected to many other areas, and I'm happy to see that as I'm an IT guy, and I was a specialist in cyber security, and now moving to this data protection and trying to understand the law. I saw many lawyers and people with legal backgrounds now studying and trying to understand IT, cyber security, and Artificial Intelligence, which is good because this is a cross-functional domain, and sometimes, it doesn't matter where you are coming from. I have in my contacts excellent specialists coming from marketing, coming from accountancy, coming from legal, IT, from cyber. It needs some work and a lot of learning, which is good. See, I'm a very good example for the younger generation. I'm 60 now, and I have to learn continuously. So this is the future for our children and our nephews; that was clear, and they will have to learn their entire lives. But I consider that a good thing, so something nice is challenging and keeping us alive and interested.

Debbie Reynolds  06:05

I think you made an important point that, especially now in organizations, it's important to have people who have multidisciplinary skill sets and can talk with people at different levels of the organization, as opposed to being in a silo. What are your thoughts about that?

Daniel Suciu  06:26

Yeah, that was a problem I encountered 25 years ago when I worked on some cross-functional projects, and it was a challenge trying to understand people from other areas. Sometimes, it took me months to understand what they were talking about, not the details, but if you really care, you understand that, and you need just to care enough in order to learn from them and to really communicate. If you really want to learn, other people will notice and will really help you if they see interest on your part. It doesn't matter if you're good or not. In the beginning, if you're interested, you can learn, and people initially might not accept you, but in time, you can gain trust. In some cases, I got support and buy-in from some initiatives, from other departments, where it was reduced, from my department, and I got for some business intelligence, but from marketing, from finance in other, four customer operations, which were not seen as an important thing for my department, being IT. So it's always a way to cross as a barrier between and that means interest and really care to understand that people that's the only things one requires, I suppose.

Debbie Reynolds  08:07

I think that's true. I've seen people try to go into data protection or Data Privacy roles, and they try to do it in a way that is very forceful and not very open, and that's just a disaster because people won't help you. They won't give you the things that you need. They won't feel that you respect them and what their issues are, what their challenges are. So I think really listening to them and like you say, they will help you. They know that you have an interest in what they're doing and really care about the things that they care about. Yeah, I'd love for you to chat about this. You posted something recently about checklists or why you hate checklists, and I would love for you to expound upon that post. Great, but tell me your thoughts on this one.

Daniel Suciu  09:03

In my experience, I have used many tools, and what I learned is to apply knowledge from one area. I learned a lot sometimes from people from other areas like this. A lot of learning regarding checklists and customer satisfaction questionnaires. This I started, then learning with my daughter about sociology. I was also very interested in psychology. I have read a few hundred thousand pages about psychology, so putting these together and trying to see what works. So, I try to be interested, and like in any learning, sometimes it's trial and error. I have reached out in trying to apply the theory it doesn't work as supposed to work. So, making corrections, adapting, making a root cause analysis, and I was a business analyst trying to understand why, and then I saw that there are simple ways of making this work, but like in the latest article, what I said exactly like people to perceive when you send the questionnaires that you care not. It's not from a robot, from a human being. So how do you put the question? What are the choices? If they see some interest in the real person and relevant questions from their perspective, they will be a lot more willing to give you good information, and it's a tool to use and overall use for wrong purposes. So, checklists are good in some cases, but not forever.

Debbie Reynolds  10:58

I agree with that. By the way, I have questionnaires that I use, and I do them custom, and to me, the order in which you ask things is very important because depending on the way the person really thinks about the problem, it helps them understand why you're asking the question, as opposed to just a random list of questions. So yeah, what is happening in the world right now in data protection or privacy that's concerning you?

Daniel Suciu  11:36

Unfortunately, what I don't like is that big companies and many other experts are mimicking privacy and data protection, pretending that they are going with the actions of the formal aspect, but sometimes it's very transparent that they don't care to implement the actual principles. What I like about GDPR is European legislation, which I don't like everything. Clearly, some parts could be improved a lot, but the part with the principles, see, that's the core, I suppose, where we should start. So, what basic principles do we want to embed into our processes, companies, organizations, products, or whatever? This should be the main focus. Unfortunately, many prefer to talk about some more sexy stuff, like talking about international transfers. A lot of the discussions which were in the last 20 years, the Europe- US transfer. It was sad, after the Privacy Shield, it's not good, not applicable in real life, in almost any company, nothing happened. It was good. Whether the transfer was legal or not, they didn't change any tool. Nothing happened. Just some lawyer wrote a long document that nobody read, not those applying the processes, or at least to the top management, they were not even aware. So now, talking about a lot of people talking about Artificial Intelligence, AI, I understand that it's a real topic and should be addressed, and I'm passionate about this. 40 years ago, when I learned Lisp, which was a programming language developed theoretically for Artificial Intelligence, I tried to study it. I was interested including the literature like Isaac Asimov books on that, and which seems to be quite relevant to today. But now are a lot of experts, and instead of putting questions, analyzing things, we are the beginning, we don't know. No, we have 1000 experts knowing exactly what we should do. I don't see that anybody knows it's good, asking questions, analyzing series, having some measures to prevent, yes, but too much noise, and it's difficult to see which are the relevant voices and what part is the noise. Unfortunately, I'm not able to tell. I know a lot of some people, but the people I know could be a lot of others who are very relevant and I don't know. I cannot find them, I cannot identify them or require too much time for this.

Debbie Reynolds  14:46

I think that's true for me, I look to people who've been interested in data before GDPR. So for me, those people really care about data protection, and they, a lot of times, come from different areas, and they intersect with data protection and privacy. You wrote something recently about how to recognize a decent privacy or data protection consultant. Give me your point of view on that for the audience?

Daniel Suciu  15:23

Yeah, first I tried, with the negative part a few years ago, what not to accept, because I saw based on the wrong example, like selling solutions. GSR compliant. I will make you compliant. So, no empty promises. You cannot make somebody compliant. You can help. They have to work. It's not possible. You can support to embed into their organization processes and so on. You don't have to force them to say that the most important thing they should do now they are running a business, some of them, and this is one out of maybe 20 other legislations they have to follow, so it's a concern, and it's easy to point them the risk. What are the risks for them? For some kinds of businesses, there are huge risks for others, close to zero. It's a factory where they maybe they have with their employees that's all, no data, nothing at all. Try to prioritize and focus on what really matters to them, to add some value or at least not to ruin too much from their processes. Some were selling a lot of documents. You need 20 procedures. I said it's not possible. They're running a business, and they have three procedures, and I came with data protection. You need another 20, but they have three for all the stuff they're doing their business, and maybe one for human resources, so as not to exaggerate and point out the risk and do the thing with them. So to let something after you left, sometimes not the document. By the way, I always refuse to write documents on my own. I never accept this. I can write with the people from the organization; if I write them, they are completely useless. I can have a structure, I have a template, I have an example, but to use their words to analyze their document and their way of working, either it's more formal, less formal, and on the level of understanding of the people, I saw huge documents written by people in a factory where they had about 10% of the people who actually cannot read at all, so completely illiterate, not functionally illiterate, and you put them to sign a document, it took 10 seconds to make a signature on the paper. What's the value of that? So I was talking with her boss. Boss, let's have a discussion with that, a 10-minute discussion, what you have to see to clarify to them that a company is using only the data in need from you in order to give you the salary, to check your health, which are legal requirements and nothing more, if you have a question asked, so you can translate them into a discussion in 10 minutes, all that matter for them. So sometimes it's simpler than that. That means to care.

Debbie Reynolds  18:59

I agree with that. I remember when GDPR came out, a lot of companies were really up in arms about it, because it was so complex and expansive, and in the US, we weren't accustomed to laws like that. Even my European clients, I would tell them, a lot of stuff doesn't even apply to you because you don't use data in those ways. So don't be concerned. We're not going to go overboard because, depending on how you're using data, your risks aren't as big. Maybe not everything applies to you anyway. So I love the fact that you talked about principles, because I think principles are going to be the future way that we deal with data protection. Right now, I think we're in a state, especially we're having in the US, where we're seeing all these little laws passed from States. The State, and what you're seeing is a steady drumbeat of okay, this change happened, this new law happened. But I think from a business perspective, companies need to really have a data strategy that includes data protection, as opposed to them trying to react to every new law and regulation. What do you think?

Daniel Suciu  20:25

By the way, I wanted to, maybe to brag a little, but how I noticed that what’s relevant for some, I have a lot of contacts and people I really discuss with from all the continents, from different countries with completely different legislation, but most of the concern are the same. So if what I write it's relevant to them, and their concern is relevant to me, and no matter if they are in Africa, I have a lot of contact from Africa and the Middle East, Israel, not talking about us, and India, where I have almost half of my contacts. So see the main idea, main principle, and main concern are the same. The difference is how to implement it. So we are concerned about saying things could be little differences of implementation, but the big part of the understanding and doing something in your domain is true and applicable to almost any country in any region.

Debbie Reynolds  21:39

I agree with that. Are you seeing companies in your work have a better understanding of how data protection needs to be implemented within their organizations? Or do you feel like it's still something that's hard for companies to understand?

Daniel Suciu  22:00

It's difficult because they have different interests; by the way, sometimes they are not aware of what is needed, and too many consultants or lawyers are telling something else that you need in order to fix your problems, which is not quite true, by the way, I discussed with the lawyer, said that we need a lawyer to implement the law, and from what I read from my culture, no the principle of the law, a good law should be understood by those who were targeted. Doesn't need a lawyer, and if for each lawyer, if each law, you would need a lawyer, I would ask how it would be in construction or in restaurants, where they have a lot more laws to comply with and a lot more difficult, so they have a lawyer to translate the laws for construction, and for the food, I don't think so. So okay, they could help management understand the law, not doing their job. It's a different story. So, unfortunately, there's too much interest in building the wrong kind of awareness. I suppose so because of lobby interest or other, so I would think that another 5, 10 years would be needed for companies will understand what would be their benefits and what they really have to do in order to be compliant.

Debbie Reynolds  23:44

Yeah, sometimes I think companies think of compliance as almost like a finish line. It's like a race. If anyone wants to get to the end of the line, then we're compliant. But really compliance, just like you said, is really action. It's what you are doing actively within the business to align with those principles. What do you think?

Daniel Suciu  24:07

Yeah, but I'm not sure, depending on what companies we are talking about, because there are some companies that will never be compliant because their business model is completely against it, not Meta, Alphabet, or Amazon, they will never be compliant. They will run out of business, or they will have to change completely their business in order to be compliant. So they will use all their power to do not to respect it, and until now, they were very, very successful. But it's about power so when companies like this have power a lot more than my country, for example, how it was a big company more than the revenue of my country. Okay, you can understand why we can limit and put some barriers in some parts, or at least eliminate the most critical one like it was in us. Started with data about children, where they take so, yes, so if we cannot do everything, we have to choose our battles and maybe starting with those at risk would be better. So we don't fix everything at once, but where it's more critical, and yes, starting with children, with health data and things like that, this would be a good start from my point of view.

Debbie Reynolds  25:43

Yeah, I think that's true. Think that we are working with companies. Obviously, you have to figure out, like you said, their business model, what they're trying to achieve, what types of risks they have, because some things have a higher risk than others, and then try to put them on a pathway towards maturity. But are you seeing companies become more mature and more understanding of data protection in your work?

Daniel Suciu  26:13

Yes, I saw some companies, at least the normal companies, where data is not their core business; everybody's handling data, but it's not the core business of handling data. Those started to be more aware and to understand they could have even benefits from this. by the way, a topic that I addressed, which is not addressed, is what I called dark data, which is hidden in many companies. 50% of the data you have it, you never use it. It consumes resources. So, starting with a company from a data protection perspective, see, you have some data. You have notice and legal basis to process what data we don't have. Only CVS, when I showed them, that means that they have 10% of the data, not 10 times more than they saw, and they started to measure all these data they would have made. See how much you pay for the storage, for the software, not because of the storage, not the hardware, the storage of maintenance backups. So they noticed that see, indirectly, they obtained some benefits of fixing some of their processes, increased efficiency, or marketing guys when they have clean data, not without a lot of redundancy or useless data they never use, they became more effective, and they close more deals. So they started, some of them, to see some benefit, maybe some more indirect benefits, but all things are, as you said, it's not only data protection by itself. Sometimes I do something, I notice a problem in the operational area or in another area, which can be improved. This way, you get real support, and when top management sees an advantage, okay, let's do more. Let's see what we can see with this could last. So, something that lasts, they saw some value, and we are at the beginning, but the trend is good, I suppose.

Debbie Reynolds  28:33

I think it's true because companies do have a lot of data. Maybe it's part of the Big Data wave many years ago, where companies were just collecting everything. They thought everything was important. But in general, even big companies, a lot of times, they have a lot of redundant data, things that are old, things that they don't need, things that no one uses, that really create a risk for them. So as you say, getting rid of things that they don't need, understanding, having that clean data, the consented data, or data that has those legal bases can help companies not have so much risk, can help them save money because they're not storing things that they don't need. But then also, especially as we see companies try to move more into more advanced technologies, it's hard to move into those areas if you have data; flagging old data just doesn't work in those systems. So I think I also agree and hope that's a trend because I think that I agree that there could be horizontal aspects of data protection, or being able to understand your data in a way that will help you in your business and in different areas.

Daniel Suciu  29:55

One aspect I like in the US which we don't have in many countries in Europe, is a synergy between data protection, privacy, as you call it, and consumer protection. So we started with the deceptive design technique; see, first, they were noticed in relation to customer protection, and with that, now move to include Europe, they just started, and many times, the organizations handling these are completely different organizations that they don't talk between them. So we don't have these synergies, which would be useful. That's the part I don't like that. We don't learn from others. See, some others have done something right that works. So why do we have to reinvent the wheel if this is working there?

Debbie Reynolds  30:57

That's true. You made an excellent point when you said that you have contacts all over the world, and we are having the same issues, but we're tackling it in different ways. So you're right. It's like, if a different jurisdiction has a good idea, why not adopt it or try to at least learn from it, so that you're not recreating the wheel?

Daniel Suciu  31:18

One law that would be a good source of inspiration for some is the Sarbanes Oxley law.

Debbie Reynolds  31:25

Sarbanes Oxley.

Daniel Suciu  31:28

Yeah, where for financial reporting, for misleading information, the CFO could go to jail. So that's personal for misleading and by the way, this was not replicated in other laws, but should have been something good where you can prove that they intentionally mislead the authorities. So maybe, really, I would like to see, because then and only then, the top management will feel responsible which, when it's about their money, or maybe their freedom, they will understand, if only the company is responsible and the company will pay the fine, nothing will happen.

Debbie Reynolds  32:16

That's an interesting point of view, actually; a gentleman who's going to be on the show, we were talking about data as an asset, and so if you think of data as an asset as opposed to a commodity, you bring more value to it. So maybe part of that discussion really is maybe data is like money or data, in a way that we consider it more valuable, and it desires more protection. What do you think?

Daniel Suciu  32:48

I see data as an asset, and many stories are trying to mention this. By the way, this was one reason I left the cyber security part because theoretically, they admit now that processes and data are assets; however. Still, 90% of the accent is protecting the network, not about data. Most companies don't have something. So that was 20 years ago, seeing now the same change and a lot of money on tools to protect the network, whatever is there? Oh, we sure started. Theoretically, many people said 20 years ago to classify data to see different kinds of data they have different risks, and to protect the data, not only the network. Yeah, that's 1% of the effort, because what I learned in training a long time ago, which I really liked and maintained, people said, this is important. Okay, measure the money they put on that, that's important. Yes, it's critical to us. How much budget do you offer, like data protection? It's important? Yes, it's one of the top three. How much is the budget? 0.0001% of your budget. So, in this case, I said, if I were a shareholder, either you are lying, and it's not a priority, either it is, and I should fire you because you don't put money where you have the priority. So both cannot be true. So the important things is where you put your money on, saying things are important and allocating zero budgets or close to zero, it's not quite right.

Debbie Reynolds  34:41

I agree with that.

Daniel Suciu  34:43

Many consultants are not telling this, because why? Because they are paid by the customer, and I worked a lot with all big four companies, by the way, a lot, and I have friends there, and I work with them and in a conference, I asked a question. It was about cost management, and what cost management? I said it's sometimes bullshit. You have some recommendations to reduce 10% the budget of all the departments; for example, yes, we reduced the money for paying for the Oracle license. We don't need support. We pay for one incident because we didn't have any incidents in the last three years, right? They made some reductions, but next year, an incident. We pay the fees for five years, for that year one incident. So that was cost management, and when I asked it, was vice president of Ernst Young Global and about some things, and said he knows, and it's true. Unfortunately, I said I'm paid by my customer. I cannot tell them on their money that they are stupid. So I try to suggest to do differently. But finally, I don't put it in the report because they don't want to see that in the report. So, between big companies and the big four, the final report, it's a political statement of all different aspects, and what I said that they didn't like at all the business of the Big Four sometimes, then I saw that all the businesses that collapsed in the US, in Europe, that collapsed completely, they had excellent report from Big Four company, all of them with no exceptions. So I said, Why? Because it's a business that is very similar, like I said, like when the mafia started in South Sicily, see where they asked for protection. So having a report from the audit from the Big Four doesn't mean anything, just you are allowed to continue your business. So see, it's similar in not the same things. It's not blackmail. They don't push, but it's used the same way, unfortunately, by big companies, just to have somebody to blame in case we fail. It's not our fault. We have an audit, and they said it's okay we wanted to do, and they assumed Israel to be blamed in case of something for big money, of course, not for free.

Debbie Reynolds  37:28

That is so funny and true. Oh, my goodness. Well, if it were the world, according to you, Daniel, and we did everything you said, what would be your wish for data protection anywhere in the world, whether that be regulation, human behavior, or technology?

Daniel Suciu  37:47

Human behavior would be the most important part because companies cannot make decisions on people there based on their values their habits sometimes. So practically, there are people on both sides and how they think. What are they driven by? That matters a lot, and this is if we change this law, it doesn't change too much. We have seen it in many parts. It's good, and it's necessary, but it's not technology working for 45 years in IT; sometimes it changes. Sometimes it changed for the worse. So it's a tool, like it was the old example with the hammer you can use to build something, or you can use against your enemies. By the way, it seems to be the first usage for a few 100,000 years. So, they didn't have nails when they invented the hammer. So initially, the hammer had other purposes, always people. But it took me about 25 or 30 years to understand that it's important.

Debbie Reynolds  39:07

I agree, people, business, it is a relationship business. So being able to build relationships and do that communication is really vital, and being able to be successful in this type of role, but thank you so much. Thank you so much for being on the show. It's such a thrill to meet you, and please, for anyone who's listening, definitely follow Daniel on LinkedIn. He puts up some of the most amazing information that can really help people understand data protection and consulting in their role.

Daniel Suciu  39:48

Thank you for giving me this opportunity.

Debbie Reynolds  39:54

That was my pleasure. It's a pleasure to meet you finally, after all these years, so we'll talk soon, and I look forward to collaborating with you in the future.

Daniel Suciu  40:04

I will be honored. Thank you again, and we'll talk, definitely.

Debbie Reynolds  40:14

Thank you so much.

Daniel Suciu  40:15

Thank you.