#136 - Privacy Engineering: How to Build for Data Privacy - Nishant Bhajaria

If you think about the scale of data, we think about the diversity of human beings across the world. No two people are going to think about privacy the same. So how do you as a company factor in the first part of respect? And the second part of scale and governance and maturity? That is for me privacy. Making sure that people aren't surprised - that people aren't disrespected. Your business is handled

courteously and professionally. So privacy is about handling data in a way that builds for both compliance, and Trust maturity and transparency. Hey everyone. My name is Henry Surya, we Robin.

And you're listening to the technology, you know, podcast the show where I'll be bringing you the greatest technical leaders practitioners and thought leaders in the industry to discuss about their Journey ideas and practices that we all can learn and apply to build a highly performing technical team and to make an impact in your personal work. So let's dive into our Journal. Hey everyone.

Welcome back to the technology. You know, podcast the podcast where you can learn about technical leadership and Excellence from my conversations, with great thought leaders in the tech industry. If you haven't, please follow the show on your podcast app and social media on LinkedIn. Twitter and Instagram. And to appreciate and support my work. Subscribe as a patron at technology, not Dev slash Patron or buy me a coffee at technology. No deaths. Last tip.

My guess what today's episode is Nissan badge area, Nissan is cyber security and data privacy executive and the author of data privacy, a run book for engineers in this episode.

We discussed the importance of data, privacy, and privacy, engineering, Nashawn described his definition of data privacy, and why it is becoming a key concern for users companies and Regulators. He explained why doing data privacy is hard and how companies can build a privacy fence As culture Niche. And also, covered are the data privacy topics, including data classification, data sharing data, content and data privacy applied to machine learning.

I hope you enjoy listening to this episode and learning a lot from it, as much as I learned from this conversation. And if you do, please share this with your colleagues, your friends, and your communities, and also leave a five star rating and review on Apple podcast and Spotify. It will help me a lot in getting more people, discover this podcast. Let's go to the conversation with me Sean after hearing a few words from our sponsors. Are you looking for a new cool swag?

Pacolet Journal. Now offers you some swags that you can purchase online? These wax are printed on demand based on your preference and will be delivered safely to you all over the world. We're shipping is available. Check out all the cool tracks available by visiting technology, you know that, death / shop and don't forget to break yourself. Once you receive any of those wrecks, Hello everyone. Welcome back to another new episode of the technology on our podcast today.

I have with me an author of a book titled data privacy. It is actually quite an interesting topic because we will be covering a lot about. What is data privacy is the fasting. And what we can do from the engineering team from the product, TEAM stands in order to protect our users data. So nice on Bulgaria is here with me, and I'm really looking forward for this conversation. Hi Nation. Hello.

Thank you. In the Beginning, I would like to ask you maybe if you can share your career Journey, may be sharing about your highlights or turning points with audience so that they can hear from your story. Yeah. Thank you for having me here. I appreciate the opportunity to talk about the book and my career Journey here. So, I am one of those people that did not quite fit into one lane. When you work for companies anywhere in the US or anywhere

else in the world. For that matter, they think of you in terms of your skill, set your ladder, so accounting, engineering, non-engineering legal, Etc. I'm one of those people that likes to In multiple rounds at the same time because companies become large and vast the opportunities exist where people don't see them before.

So I career Journey began as an engineer working for Intel that was my first job after graduate school and then I made a switch in the late 2008, 2009 time, frame away from interval will be from semiconductor development to healthcare at the time. It felt like a pretty unwise move because I was leaving an extremely secure job in the middle of what was going to become a pretty deep economic recession.

And in the short term, it did feel that way cause I had to go through some instability or a lot of new learning. But then I learned a lot about health care about product management about security about compliance about.

How do you do things that represent the entire spectrum of the company rather than just working on the one area that I would have done it until so that diversification enable me to, then gradually make the pivot to product management, program management, run big teams, big organizations, really massive cross-functional initiatives and then over time, that became a full-on segue into a more detailed security privacy

engineering. So essentially helping protect the company from a business compliance. Active on the one side, while leveraging data to deliver features to customers without hurting the privacy and

security. So, essentially, I was able to represent the interest of the business from a commercial, and risk perspective on the one side while building for trust in compliance or the other side, you have to remember as you rise in the company, you are multiple customers, your internal stakeholders our customers, but they need external. Customers are also your customers as well, but then people in the press in the media and the regulatory circles, they also represent your customer base.

So how do you support multiple people at the same time? And I love this game. Oh, I love the challenge. I love understanding whether it's a product or a problem from multiple perspectives, so my career Journey, basically spans, not just different skill sets different companies, but also different levels of detail and different levels of strategic, Focus across the company and across the sector as a whole.

Thanks for sharing your story and maybe the story about your book tour, you started your journey in security and privacy engineering maybe in this Healthcare Company. How did you come about writing the book? What kind of problems did you see back then? And why did you decide to write the book? So this is the question where people normally have an inspiring story when it comes to the book.

I don't have one, I wrote the book because it was the beginning of the covid pandemic and I didn't have anything better to do. I couldn't bake bread to save my life. So, rather than turning the house into an hour and like, setting it on fire, I thought, writing a book would be risk-free Venture and I never anticipated the book to do. Well, I never anticipated that I would finish the book for one thing because I had never

written one before. In fact, I had not even written a proposal before, and the publisher told me most books. End up being abandoned even if they're started on by an author who has one or two books behind their name. In my case, I didn't have any experience running a book. I had caught a lot of privacy security and career management courses on LinkedIn learning before. But having a to our course is one thing writing, a book is

something totally different. So I wanted to say, do some research, make some connections and take a first stab at writing a book thinking that maybe the next time around. I'll be a lot more prepared. But once I started writing the book, once I started working with the editing team in London, once I started getting feedback from Even read individual

chapters of the book. I realized how far I had to go in terms of being able to articulate My Views in a way that people understood, but I also realized I had a lot of experience, I have learned a lot of things both good and bad throughout my own career and there was a real opportunity to add something to the popular knowledge about security and

privacy. How do you build stuff that's going to force people to work together in a way that people typically didn't people tend to be within their silos there. Okay. Ours their metrics, their products, their commitments, right. How do you build something that is not for one product? But for the entire class, Form. How do you build stuff that is not reactive from a risk perspective, but proactive from

an innovation perspective. So all I had to do is figure out how to leverage the lessons of my career. Over a lifetime into a 350-page book in my case, 380 page book, that would benefit everybody at the same time. So it began as sort of let me do something fun. In the middle of this extremely challenging pandemic and it became something a lot more inspirational. The funny thing Henry is that this whole journey began, not with the book for me. What with LinkedIn learning and

teaching. My first course on privacy, I was in the middle of Like leaving one job and joining. Another one, when I happen to be on LinkedIn one morning and I saw somebody from LinkedIn learning post a comment on somebody else's war and say, hey, what teaching this course on privacy, but we don't have anybody to teach it yet.

Like we're thinking about this course, we have approval to put this course out there and the person from LinkedIn and left this comment on the wall of high profile C. So in Silicon Valley and they had not responded yet the sea. So I hadn't responded yet. So I contacted this person on LinkedIn learning and said, hey, if this person doesn't respond, can you bring me? Because I'm interested and I had no shame. I had no reluctance to be Desperate because you know, you only live one time.

You have to sort of take your chances and as it turned out that person didn't respond and I got the course. And that course, did very well in led to three other courses and those three courses and their feedback by Learners on LinkedIn learning made Manning Publications. Catch me in there, like with this guy, must know to do something. So I took initiative the first time that led to courses that led to the book and that led to a lot of interesting opportunities including this

podcast. So the lesson here is if you want to be a leader in the trust security and compliance faced you have to take Chances you have to write your own book in a manner of speaking, because there is no handbook. There is no course that teaches you how to catch these opportunities and make a difference. The second thing is there is a lot of people with the same questions that are a lot of people struggling with questions, I had seven, eight, nine years ago because the book

didn't exist, my wondered. I wish somebody had a book or some Google resource that I could. Learn from turned out. I didn't have that benefit but the LinkedIn learning courses. The podcast, I do the book I have done, hopefully, serve as a resource for the next Nishant who's going to hopefully do even much better than me because sometimes you ask questions, sometimes you ask and answer those questions and I chose to do the ladder pal. Thank you for sharing your story.

I think that's a very good message for the listeners here, right? So sometimes we have to create our own opportunity, not to say that we wait for opportunity to come being offered to us and we do so, I think that's a really good thing and you started from the LinkedIn course. Which I think many people would also have done creating courses and things like that, which I think I find very interesting because not everyone has the confidence right being

comfortable. Writing courses by themselves and Publishing it. So, I think thanks for sharing this story. Welcome to Alaska. Can I just make one more point about the courses? Yeah, sure. Let's go. LinkedIn learning as an excellent program for that, and they help you build out the table of contents, the courses, the scripts. It's interesting. Like, when you teach these courses, you have to, essentially combine three things. You have to combine sort of the actual course, material itself,

the domain. If you talk about security or AI or Career Development, whatever that happens to be, you have to have your core content. Because unless you do that, there's no point in the course being there. The second thing is, you need to have a narrative. You cannot just throw instructions that people go to when we were kids, we have fond memories of our childhood because we remember our teachers, our parents grandparents, counselors, whatever.

Teaching us the stories because human beings fix it around stories. Like, Richard Nixon.

Former president said that you campaign in poetry, you govern in prose or most of us live, our daily lives on Pros, like we have to get our job done, pay our bills, wake up in the morning for her arms, show up to meetings on time, there's a lot of Pros, but you really think of your favorite moments as the ones that having fun, You know, the first time somebody gave you a promotion, the first time somebody listened to your idea. The first time you made a mistake and learn from it.

So the second thing I'll say when it comes to these LinkedIn learning courses have a narrative, like people whooping me for compliments. Tell me that they remember the stories, my life experiences things that are did well, things that I didn't do well. So that's number two. The third thing is the ability to promote these stories. Be able to help people who have taught this course. Here's who I am not, here's what I've learned from the process. So have the core competencies covered.

Tell the stories and be ready to sort of really promote your work. Otherwise, As there's so much content out there that people won't catch it building. The course itself was a learning experience in that, leveraged everything I learned in college, including in the classroom, outside the classroom in the debate team Etc. So I would urge people to think of privacy and security through that route because it's one thing for people to say, I believe in security, I believe in privacy.

First principles, do the right thing. Everybody says that, but how do you tell the stories, how do you build the course material? How do you come up with the dashboards? How do you build the products? How do you convince people that give you a chance, right? All those things are very important as well. Thank you for that tip so I think that's a really very

important. The right to build, the narratives, not just splitting theories and points to share with the people to I think building your own narrative, sharing your stories, I think it's very powerful. And also, especially if you can be vulnerable and share your not. So successful stories, I believe so that people can relate and actually find that it is actually relevant to them. Right here them all the time.

I'm going to be very generous with my mistakes so that you can make new mistakes of your own rather than what I have made. So then I can learn from your mistakes other than just learning from my own. So I think there is a lot of value in telling people. About your mistakes.

Because for every 10 people in Silicon Valley who pretended, they know what they're talking about, there are like 100 out there who are afraid to ask the right question because they are concerned, that they will not look as smart as the people think they are. So this imposter syndrome is real, but these fields like, security and privacy are putting brand new. Like, a lot of what we know today was in known 10 years ago. The idea of having open IDs

wasn't as big ten years ago. Global internet was not as penetrative as it is right now. In fact, even the smartphone is something that happened in a sequence, right? Like Blackberry tried it first, I remember h. P released the aipac. So Innovation happens in Peaks

and valleys. So it's important for you to be honest with yourself and with others because you may look stupid initially, but I feel in the long sweep of History, you will benefit people a lot more if you can be very comprehensive about your mistakes and your successes.

Obviously, when you work for big companies, like I often, do you have to work with your comms team to make sure that you don't end up revealing something that is IP or trade secret or whatever, but I feel like there is a lot of value in telling those stories and learning and helping others learn, as well. Right. I hope, one day.

I could also do the same, you know, publish my own course, telling my stories and let people learn from it and I don't want them to this podcast, you can get on LinkedIn and maybe there's somebody else thinking obvious. And you can intrude like iron and say if this person doesn't respond, give me the course that find work. So Nation are the topics of data privacy itself. I find is pretty rare to find good resources about it.

So when I see your book, right? I think it's pretty, maybe it's one of the thing that I just bumped into but actually, the topic is pretty hot. These days when people talk about the Data people talk about like GDP are in the Europe here in Singapore. We also have something similar called pdpa and also users have becoming more aware that data. Privacy is a key thing for them. And I think when I see your book, I find it very interesting.

And the first thing that I would ask you is actually to Define. What is this data privacy? And there's an equivalent privacy engineering associated with it. Maybe if you can describe what those are, that will be great. Yeah, so privacy does not have a definition per se. That is you Actually accepted. So I think of it as two different definitions and hopefully, we can overlap the two over the course of this conversation.

So, from a user perspective, from a customer's perspective, I like to think about people, like my parents, my siblings, my grandparents, my spouse, her dad for them. Privacy is about being treated with respect like being able to make informed decisions with their own data and not be caught

by surprise. Like this should not be an example where somebody intentionally willfully or continuously and carelessly did something with your data that you would not have wanted to, or in other words, I shouldn't do something with somebody else's data that I wouldn't want somebody else to do with mine. So there's a very human visceral definition. That may not be quantifiable but something that is easily understandable, right?

That's the first definition. The second thing I would say for privacy is as a company as an institution, as a government. You want to make sure that you use somebody's data in a way that is respectful, that is transparent. That is compliant, that is continuously improved. If you think about the scale of data, if you think about the nature of human engagement, we think about the diversity of human beings across the world. No two people have Think about

privacy the same. So how do you as a company factor in the first part of respect? And the second part of scale and governance and maturity? That is for me privacy. Making sure that people aren't surprised - that people aren't disrespected your businesses handle courteously and professionally. So privacy is about handling data in a way that builds for both compliance and Trust maturity and transparency,

right? Thanks for really great, definition or so, the few key things that I picked up is about trust. It's about treating, our users with respect, right? And also treating others like what you want to be treated, I guess, right? So if you don't want your data to be shared, maybe don't do that, but with people as well. I think in the past I don't know maybe the last five or ten years or so people start to share their data on the internet more and more, right?

Maybe with the introductions of new websites new applications, people start to share more data and in the last few years or so we can see so many data breaches in the news, right. And there are also people who are becoming more concerned about it. Maybe if you can summarize all these what are actually the Incense from the company's point of view, and also, from the users point of view, why they should think a lot more about data privacy these days.

So I think I'll start with something a lot more high level and then going to Horn in on the very specific example. So what has happened in the last 10? 13 years is pretty significant because multiple forces have colluded together to change our world in ways that often makes it hard to recognize the world we live in compared to where we

were like just a generation ago. We had an expansion of internet access unlike any time before in human history we had a switch From Pure laptop, desktop functions to mobile devices. We had the explosion of global ID.

So in the past where you have to create a username password, every single time you can authenticate using your Google ID or a bunch of other IDs, you had the ability to build platforms to help provide people capabilities or to provide other people capabilities to select stuff to customers at scale. Now, in the past, you had major changes happen in small increments so you had Intel switch from memory to processing, which is a pretty big shift.

For it's time. We had this amazing Tech bubble. In the late 1990s but that was an example of innovation in search of actual utilization. You had people building amazing stuff but there was no market for it but in the last 10 years we had several changes of that scale happen at the same time and I don't think we have fully understood how much Humanity has changed. Because in the last ten years, a

bunch of other things. I've also changed that for misinformation abuse of trust power consolidation in the tech sector. We've also seen examples of unstable democracies essentially teetering on the brink people saying stuff. That is factually not true. So because all of these things that have happened at the Same time, it is very hard to scale. Anything on measure things that

are meaningful fashion. So we have examples of people Behaving Badly of people behaving carelessly and sometimes both at the same time as a result of which I can say, we live in a world where our computational processing power, far exceeds our model processing power. So the ability to measure change, the ability to balance Innovation and personalization on the one side with competition and compliance on the other is very hard to do.

So I feel like companies need to worry about this because you could have things happen to you in a way that you cannot fully predict at a time and place. Is not of your choosing and whether you are a company that's collecting the data and building the products on the one side or your customer, who wants privacy. But also low latency. At the same time, you have a bunch of things, bunch of expectations, and a bunch of actions that are collectively

incompatible with each other. And yet somehow, we have to figure out how to make sense of this world. We live in because everybody wants everything all the time. So that's the challenge. Your, how do you catch these things before something bad happens? How do you build the right tools? How do you build the right products? How do you course-correct before things? Go badly? How do you?

You offer training and compliance at the same time, the lack of understanding in the lack of scaling and the lack of ability to undo things is the Big Challenge. So, my advice to companies tends to be, you should get things done correctly before you go too far down the path.

I remember, we're in my undergraduate college days, one of our computer science professor, she had a sign outside her door saying days, and days of P, bugging saved you hours and hours of planning, or hours, and hours of testing. And I think that analogy is an operative even more. Today, especially considering the volume of data, the scale of data, The prophecy of bad actors and the sheer complexity of the regulations and the TxTag we operated and how about from the

user site. So what would be your summary of the concerns that people should think about now from the users perspective about data privacy? I remember this was in 2003, I was an RA in college dorm and I remember this was the first time people had something akin to an online photo Journal that was hosted by the University's intranet and as an RA you are not allow to drink. In fact, I remember correctly. Nobody was allowed to drink in the college.

Or and this guy thought it was a good idea to have an open bottle of alcohol, but like this guy was not 21 and allow himself to be photographed with that bottle and let somebody upload that photograph in our newsletter. He lost his job the next day, but there are so many of us who may have done not me obviously cuz I'm smart that way. But so many of us that have done things that may not be great from today's perspective but there is no online record of it, right?

That was the first example that what do you do in a confined? Space may not remain private for too long. So I feel like that's the lesson here from a Respect to, right? How do you make Intelligent Decisions with your data? But the challenges, unlike somebody holding a beer bottle

in their teens. The complexity now is like, you may end up doing saying something online that may come back to haunt you or you may want things like when you open the Netflix app, for example, how would you like it? If the app takes 10 minutes to load, do you want to go on Netflix online and you want to find something within the first 10 15 seconds? So you can get on with it and

get on with your evening. So you can fix and chill right with the customers is the same thing as the incompatibility of expectations. Around privacy and security on the one side and expectations around quick, performance of your service ended up on the other side, right? That's the Challenger and the other aspect is a lot of customers. Don't fully understand how the internet works, how online services get funded, because the

domain has grown really quickly. And I think the tech sector has to do a much better job of telling people. Hey, here's how we make the internet work. Here's how your data gets used, so the lack of patience, the abundance of complexity. Collectively means it's very hard for customers often to make an informed decision and everything moves really quickly. There are too many In the pie, too many people in the kitchen at the same time.

And also the regulatory State. The tools that are being built to protect the customers at the government level and the company level, don't fully appreciate the complexity and the volume of data. So everybody is moving very fast, the volumes of data, and the number of transactions are going pretty fast. And as a result customers cannot always make informed decisions. Like how many of us read forget

online for a second? When you get a new credit card, you get the credit card, bill in the mail and alongside the building at ten pages of small print, which is the governance in terms and conditions. How many people really read that stuff, right? The level of clarity, the level of understanding and the implications, and the gap between the two is, I think the big challenge for customers to reconcile right now. And you mentioned about

regulations, right? I think I also feel that the regulations came up pretty late to take some actions before all these things become a messy kind of situations. I myself. Don't have familiarity with all these data, privacy, rules, regulations, and things like that. Maybe if you can also share. What are some of the things? Concrete things that some countries have done in terms of protecting their citizens, their

users for data, privacy related. So I know one thing gdpr but are there other countries that are at the Forefront of all these things? So I would force me qualify my answer by saying that when it comes to regulation, there are two perspectives. The one is let's come up with something quick to address the most pressing issue in the land.

But the second perspective, which is something the policy folks that I work with, in the past, have educated me on, is the fact that you only get loose so much. The system. And if you look at the US government system, you have a House of Representatives 435 members, you need a majority of 218 to pass something.

And then you have the cell in which is the second half of the legislative branch of government, you have a body of hundred Senators to pour straight 50 states, 100 senators, and you need 51 votes to pass something, but you need 60 in essence to pass anything to make sure that something could actually get to the threshold by 51 votes can be to

passage. And then you have the executive that is a president who may or may not sign it and then you have the Judiciary, which is multiple courts across The country leading up to the Supreme Court, essentially that decides whether the law is constitutional or not.

The system is very complex. To what regular is want to do is pass something in an Omnibus fashion that covers as many use cases, as possible because the idea that you can pass something once and then pass something a second time, and a third time is not always viable because you have multiple bodies to convince, right? So if you look at sort of tax law, it only gets past once a generation typically.

I think the last immigration law that was passed of any consequence was in the 60s, if I remember correctly. So, you have this. This extremely complex judicial system that has to pass and then enforce regulations and it's very hard to do. So that is when you say that, it took a long time. It's because the systems that are required to work together to pass, regulations are extremely complex. That's number one.

Second thing and says, a lot of the people who build complex Technical Systems in the people who pass regulations are living in very different universes. The people who pass these laws tend to be policymakers attorneys, who don't always understand technology. And the people who build these tools collect, this data are often Engineers who are understand the world of policy. So the gap. Between the doors and the builders on the one side and the enforcers. On the other side is a

challenge. Now that may not have been such a big deal. 2015 years ago. When, as I mentioned before cloud computing didn't exist. Global IDs didn't exist. Mobile Computing was not a big deal. It may not be have been a big deal at the time but now with the volume of data with the number of good actors in Bad actors, the amount of innovation taking place it's extremely

challenging. So I think it is very easy to criticize the fact that the governments of the world have not move fast enough but I feel like the challenges do you move too fast and break something or do? You move too slow and come late to the party. There's a bit of a bad choice on both sides, right? Nobody wants to be the person that over-promised and under-delivered. The other thing I would say is no country in the world wants to be responsible for passing laws.

That stymie. Their own local Tech sector while allowing companies in a different country and unfair Advantage. So there is the antitrust aspect to it as well and I would say gdpr is a good start CPR is a good start. The iso standard that I was part of when I was at Google back in the days it was a good start but I feel like we're going to have to rethink the idea of how to

Pass regulation. In this case, one of the reasons I wrote the book was hoping that I can have the attorneys, the policy people on the one side and the engineer's product manager on the other side, come together to sort of, really think about regulation. In a meaningful fashion, not pass regulation necessarily, but tell the regulatory state that, hey, we were able to work internally in the company.

And here's how we think regulations can be better and I want the regulatory state to read the book and say, hey now, we have an engineering perspective because the name of the book is data, privacy or unbook for engineers. I want these folks to work with each other and say.

Hey, here's what the next tab. The next year if you are should look like because I want engineers and on Engineers to work together in the company to meet their current obligations and use that Corporation. Use those learnings to contribute to the next generation of regulations. Which will in turn improve the next generation of innovation and make that virtuous circle happen, without distress without

talking past each other, right? So, I think that's a pretty good objective rights out to have people build more awareness, including the government side. So, you mentioned this book is targeted for engineers in the first place, and I feel A lot of companies product companies, especially when they built product, they may not start thinking about data privacy

first. I don't know whether maybe some companies are doing that, but a lot of times, they actually focus on the features, the functional requirements. So to speak of what the product would do, in your book, actually in the first few chapters, you mentioned that data privacy is something that is hard to do, right? So for people to start and you start the book by saying data privacy, is that maybe you can explain a little bit. What is the complexity required to start working on privacy?

Engineering. So, even though the book is primarily targeted towards engineer Henry, I think the book is aimed at a lot more people than just Engineers. So I think of the book as three different books fuse together, the first one third of the book is aimed at engineer's attorneys policymakers together to understand set context are a common vocabulary and have a common sort of shared set of facts to start with the middle one.

Third is aim primarily Engineers to build the tools in the systems and some examples from a privacy security perspective. The last 1/3 is aimed at policymakers Is and Senior Engineers because then you want to build things at scale. Think about maturity. Think about, how do you build for trust? How do you think about reusing tools? How do you make privacy efficient? Which is sort of a big topic these days about how do you use resources efficiently.

So, I think, even though the book is aimed at Engineers, it is aimed at a much bigger Universe because I think the end goal of the book is threefold. First is build better Engineers who can focus on, not just depth, but breath close, the gap between the ngos and the non-engineers, and the third is to set the conversation on how we need to do this.

These things not just because privacy security are the right thing to do, but because it's good for business, it's good for National Security, it's good for the company's bottom line. So if you can make those three things happen at the same time, build better Engineers, bring people together, and make sure that good privacy and security are seen as good business. Then this will become not a problem, but something that people see as an opportunity right now.

So, the other thing that I asked us, now, how do we get started right for most companies? I would say that they may not know the challenge. The kind of complexity that they have to With whenever they think about data, privacy, and privacy, engineering, so to speak. So maybe if you can elaborate a little bit more, like why data privacy could be hard for engineers or product companies to start thinking about, I would like to quote, another

president. I quoted President Nixon once and quote, President Kennedy who said that? The best time to fix the roof is, when the sun is shining, the reason privacy is hard, is because people buy really big house. They want to make sure it looks really nice on the outside. They buy amazing expensive, furniture kitchen cabinets, with granite Etc, but they forget to

fix the roof. And it's not a big deal because they moved in the summer because that's when most people move because it's break from school, right? And then the rain comes in the winter, the snow falls down. And then you realize the fact that you didn't have a good roof means that your home is not flooded perhaps, he's kind of like, having that flooded house because you didn't fix your roof in time. That's challenge. You're right? So, that is why it's hard.

Cause by the time you focus on privacy, your home is flooded. The street is full of Snows. The people who want to fix the roof can get your house in time, and as a result, the flood water keeps Rising. So privacy is hard because people start to late quite frankly because people don't understand that privacy and Already risks are not something you happen to come upon in one day.

It is the combination of risks. You have built over time, bad decisions, you made good decisions, you didn't make things, you delayed things, you knew or a problem, but you chose to look the other way. So it is a combination of a lot of different risks and I think people sometimes feel like fixing privacy is all about hiring.

Somebody like me or buying my book but that's like saying that you can eat badly or day all year and then on the first of the year, you will pass on Year's resolution you jump on the treadmill for 10 minutes and then wonder why you didn't lose the 40 pounds you gained Over the right. Sometimes it's about cumulating risk over a long period of time and then trying to do a quick fix that will not fix the issue at hand. Right?

So that's why privacy is our the good thing is that there are things you can do incrementally, you can make the argument that collecting only. What you need is not just a privacy imperative, it sound business, like you don't buy food that you'll never eat. You don't buy a car that you will never drive. Why would you ship something that you'll never use? Why would you collect data that you wouldn't use? Why would you collect bad data? Why would you use data? That is outdated.

So the things you do wrong from privacy perspective are also bad for Business perspective. So even if you don't understand the first thing about privacy, you should know that the things you fixed for privacy will also benefit some other part of your business. You should not be encrypting data that you will not be using. You should not give access to data for people who don't need access to that data, right?

So if you think about privacy, not as just a regulatory concern, or a trust concern or a compliance concern, but as a business efficiency concerned, you are already off to a good start just as you build privacy risk over time by not thinking about the business efficiency aspect of things you start addressing privacy concerns by asking yourself. What can I do that? Is right from a privacy, trust perspective, but also read from a business perspective.

It's so thinking of privacy and business, not as competitive tension issues, but as business efficiency issues is the way to go. I like the way that you frame, this privacy is also something good for the business, right? It's not something just to comply with regulations or comply with the user's needs, but actually it's also good for the business. Exactly.

So in terms of the actual details about privacy or in your book, you mentioned, Fundamentals actually privacy is all about handling, the data, right? How do you collect the data? How do you store data, classifying things like that in terms of implementation?

Maybe if you can give a little bit of explanation for engineers who are the listeners, hear what should be their concerns, or what they should think about, maybe during the design, maybe during implementation, and maybe during how they handle the data within their whole ecosystem of systems within the product company. So let me give you a very specific example here, Andre, so I think of privacy as security.

Plus and I know people get really mad in the Privacy domain because we don't like it when people love busted security and what separate. But honestly, if you think about traditional security were talking about firewalls certificates, encryption Keys, things like that, the assumption is, that's all you need to protect data. With a problem with privacy is you have to think of security as privacy the. So if something is a security risk, it is by definition of privacy to.

So if you in an unauthorized fashion, get into a company's database and you steal somebody's data, that's obviously a security risk and of privacy risk at the same time, right? But what happens if you are able to bypass security either? As you are an employee of the company or because you got into the company's domain, in a sneaky fashion, what happens if you get authorization to the data and then it gets used incorrectly. So, as an example, I collected your data to recommend to you

shoes, or on amazon.com. The next thing you should purchase. If you want dog food, six weeks ago and your dog, typically needs that same food refresh once every six weeks, or once every eight weeks, then of the fourth week, it makes total sense for me to give you an ad saying by this. Now, that is totally legitimate as long. As we have consent and whatnot, right? But if I infer things about you like your race, your gender, Etc.

That's a problem, right? So, from an engineering perspective, how do you think of privacy and security not just as infrastructure and protecting the company but about using the nuances of the data and protecting the customer as well? What happens is if you collect data that you should not have collected or if you collected data correctly, but now it is being used to do things that were not initially possible. So the challenge would data is data is a living breathing

organism. If you collected my data three weeks ago and It was perfectly legitimate to collect that data, and use it for a certain purpose. But now, three weeks later, you also were able to obtain some other data about me from some other source on the internet. And both of those combined can tell you things about me that you may not have been able to infer with the first collection.

Anyways, that's a problem because now you have possibilities to do stuff to me and my data that you couldn't do before, and I don't have the ability as a customer to know that. So my inside to engineer is continuously classify the data based on risk tag data based on your understanding of the risk. And S policies on an ongoing basis. Because if you do those things, then just as the data and the risk accumulates on an ongoing basis, your ability to understand that risk and protect

your customer, from that risk. Also happens on an ongoing basis, it's a bit. Like when you let's assume you eat a lot or every single day like I do as long as you work out the next morning, there is a good chance that what you are accumulating in terms of calories is being burned in terms of your running. So just as you do everything in moderation and balance risk and rewards. If you do it in every other aspect of your life, if you have a big expense, And you cut back on something else.

If you stay up all night watching a movie or something, you get some extra rest over the weekend. Life is about compensating to checks and balances, right? So should be privacy and security. So my advice to engineer is use tooling used processes, use cross-functional checks and balances to make sure that. Just as you innovate, you can also protect just as you

collect. You can also destroy just as you provide surprises, your customers, you can provide them transparency and Trust in choices. It's all about making sure that there is a counterweight to Thing else you do on a daily basis? Wow, that thing that's a pretty good message, right for engineers here. Always be conscious trying to classify your data. The risks associated with the collection of the data and also thinking about compensating

right? So if you collect more maybe one day you should think about destroying. So I had this one maybe advice in the past of my career, just collect the data, who knows? One day in the future we will need it, right? So I think that advice does not apply anymore in this data. Privacy related world and also one more thing is that how can we build a privacy fence? Culture within the company or maybe for developers. It's like privacy driven development.

I don't know whether that term exists, but how can the company start building this culture? So that people whenever they work on feature, they will conduct a new product. They start thinking, okay, maybe we should put privacy at one of the Forefront of the concerns that we should think about, in the design, in the approval and things like that. So, I'm going to give you two answers. Your question first, is that the more strategic level and second

is more, brass tacks examples. So I often tell people in this, I think it's become almost cliche for me to say this by now, you Would not have medicine without checking for the side effects. First, when you go to the grocery store and buy milk, you check the expiration date, right? All right. At least I do when you drive a car. And before you do hopefully before, although, in California, people don't do that and more people should.

But this is California where nobody knows how to drive different topic for a different day. But before you turn left before you turn, right? You check the light and you check to make sure nobody's coming right in every other aspect of your life. Common Sense, dictates that you account for safety and your current, for some verification. Why on Earth would you collect ship cell share data without Because especially when it comes to real life, if you buy four dollars worth of milk and it

turns out it's not great. You can always go back to the store and return it or worst case you're only out for dollars, you will not drink bad milk, right? Why would you behave in a fashion? That is Cavalier when it comes to large volumes of data? Especially since, if you make a mistake with that data, I could affect somebody's life, it could lead to a big fine for your business. It could lead to a consent decree. It could lead to roadmaps being

permanently affected, right? So, just common sense from a business perspective, dictates you should ever become zero privacy. But the second thing is as I mentioned before when you build the tooling and the processes to protect privacy, you are also building tooling and processes to protect your business. If you collect data that you

should not collect. Anyways, then when it comes to discovering their data and if you want to reuse the data for the wrong purposes, you will then have to spend a lot of time to understand. Okay, what did we do with it? How did this happen? How should we prepare in the future? And that is time.

When you could have spent building the next product that will get you a ton of Engagement and revenue so, privacy mistakes, I will not only surprise you at the time of not your choosing But it will affect your ability to make money and build stuff that will help your company succeed. So having the right tools to check for privacy. Risks is extremely critical companies have invested in tools to make sure that you can block any code releases that will

break your build. They will make sure that you don't release something on a Friday night before the weekend, if you work for a retail company, I bet you there are checks and balances to make sure that you don't release something the day before, Christmas, right? So my sense is building the tooling for the right privacy, honestly could help you build those other tools to protect your business right? Because This comes once a year so you want to be careful of that release when it comes to

bad privacy risks. There is no such thing as Christmas or New Year's everyday, could be Friday night, right? So you want to make sure that you build the right tools to protect yourself and the company. So there is the Strategic business reason to protect privacy at all times. But there is also the ability to protect your roadmap, your own performance, your own bonus, your own release Cycles, you

don't metrics. So whether you see from the do the right thing, business perspective, are you look at the right perspective from a business self-preservation perspective, you want to build a cultural privacy? It's The right tools, the right processes that I'd wear verification and fundamentally. I'm not talking about something that's rocket science. Everything I've talked about if privacy and gdpr didn't exist as topics people would still do

them. Anyways, it's just so happens that privacy has become this big scary thing that people are afraid of. Honestly, I tell people that if most companies did the right thing from the basic perspective, I wouldn't have a job, you wouldn't need me. Now, I'm glad I have a job. I'm glad I exist, but the reason I had to do this to write the book and teach these courses is because companies often end up into Seems they either don't care about privacy and get surprised.

And then have to spend the next 10 years trying to fix their mistakes or they become overcautious and piss everybody off and end up stifling the engineers in company with unnecessary process. My job here. My goal is to find that balance in the Middle where companies can make informed decision based on the right tooling make the case for intelligent regulation and intelligent Innovation and showcase their work to the customer.

So they can get credit for doing the right thing from privacy and security perspective. I want to bring lady one recent Trend which I believe some people think In a different way, as well, in terms of collecting data. So we are talking about Ai and machine learning these days. So, as we all know, for this machine learning to work properly, you need to have lots of data, lots of labels tags. So, to speak, right? You need to classify the users

with a lot more attributes. So, what's your take with all this new trend, right? Or people think that you have to collect more and more identify the users better. So that the machine learning model, becomes more accurate. Maybe you can help to give an advice here for people who think that actually for building machine. Learning, we need to have more data. So before I answer the question, I want to be a little snarky

here. There are some words people use to appear smart so I remember when after I got married, my wife and I would go to nice grocery stores closed until then I would go to the cheapest grocery store but with her dad to go to nice places and a lot of products had words like Organic Farm Fresh. I still don't know what any of that actually means what people, often say things to sound smart in Silicon Valley, a year ago, you had to say, homomorphic

encryption at least once in the first 10 seconds of people didn't think you were smart. Now, the topic is generative. AI Six months ago was governance, right? So what I would tell people is that first up. A lot of people are using these words without knowing exactly what they mean because that's how the world works these days.

So don't be intimidated. Ask questions and try to make sure you have your facts in place before you make decisions about data or make case about having more or less data. That's Point. Number one, and I still don't know what a fun fresh actually means, but that doesn't stop me. From asking the question to answer your question, specifically, I would say Ai and data collection is extremely

complex. On the one side, you have to collect Data to represent the sample size were accurately to govern for data quality to check against bias on the other side. I'm not as concerned about people collecting data for AI

purposes. I'm more concerned about people collecting data, without caring about the data as long as you have the right controls to sound the utility of the data and then deleted, once its usage is complete, I'm okay, as long as people know what they're collecting and why and then deal with Access Control intelligently that concern goes down. So I think data collection and AI can be done, intelligently thoughtfully. As long as you have the controls in place, not just to protect

people's privacy. You put to make sure that the data itself is useful and correct. That's number two. The third thing is from a security perspective. Data collection is also important because unless you have the right level of profiling of users, you cannot decide which user is about to DDOS, you verses, which user is getting an ethically improperly

penalized. So I think it is less about collection but more about careless collection, less about volume of data and more about the lack of controls to enforce policies on the data, right? Because this is a continuously learning process. You collect the right kind of data. You check to make sure you A shortage in your collection processes or deficiencies and then you improve your collection processes and then you identify something that happens someplace else you improve your processes.

So it's about teaching, your AI models to be a better representative factor of the customer data and better utilization of your engineering resources. It's about continuous learning for yourself for your business, for your tools and for your data itself. Remember AI is not this thing that fell from the sky. It's something that was built by human beings. But with massive amounts of data and massive amounts of scale.

So you have to learn not just from Model perspective, but also from yourself, in terms of building the model in the first place, I think that's a very good insights from you about Ai and generative AI. So, like also people talk about it a lot these days, right? But maybe they are not familiar with the whole thing and think about, like we just collect data and maybe one day a male model will find it useful. So you mentioned a couple of times now that it's important to

have tooling within the company. Maybe if you can give a brief like what kind of toolings are available out there, is that something that can be automated or is that? Being more like a library client SDK that we can embed. Or is it something that is more low level? Maybe if you can share some of the tools that are available so that people are familiar with them.

So the challenge is there is no definitive tool available from a privacy perspective because there is no definitive single privacy or for that matter in the u.s. Via multiple breach notification laws that I think where you state-by-state. I'm not an attorney is protecting, my facts are in place here. The absence of Allah means that there's absence of a proper

tool. I mean, in the u.s. we have very complex, very archaic, tax law, and we Multiple tax, preparation software that were written to basically scare the crap out of me because it's extremely complex. And I have no way of knowing if everything is correct. I'm just hoping that the tool actually works. With my only other choice is to go to a CPA or do it myself and every option has downsides to it, right?

So there is no tool off the shelf which is part of the reason I wrote my book, part of the reason I teach on my courses online and the choices for companies are in the following build. Something from the ground up within the company that has the upside of having built by people that have the tribal knowledge. But that is the downside of essentially being built. By the same people that didn't see it coming the first time around.

So, there is a trade-off that there are multiple off-the-shelf Solutions, third-party tools. I advise some of these companies to be totally honest with you and they are trying to fix these problems from an outsider's perspective, but also make sure that there is a standard in the industry, so that not everybody has their own bespoke software. That's number two.

The third model is start with building something in our sin by a third-party vendor or by a third party vendor and then build something on top of that to provide coverage for their own use cases. I don't think there is one answer for any company. Hopefully, we get to a point where On a sector-by-sector basis, or for different kinds of data for different kinds of cloud vendors.

There are certain set of tools that work, but I think the domain as you mentioned in the very beginning Henry is in its relative infancy. So I don't think we're at a point where we can just build something for everyone because we don't have one law in a given country. We don't have an example of how one law can be properly verifiably complied with and we also don't have a common way of doing things. Like there are companies that are Legacy companies moving to Cloud.

For the first time, there are companies that for a whole host of reasons prefer, and on Prem infrastructure, there are companies that still have a mono report. Other companies that have multiple reports, there are companies that have single point of failure. Other companies that have a multiple microservices model, there is so much diversification and the engineering level at the Privacy level, and the customer expectation level at the

international legal level. That is very hard to have one tool, which is why again, I tell people shift left, start only, keep improving, keep building their virtuous circle, and then you can make this decision on an informal basis without being forced to comply with the law. That may be expensive to comply with And in the end will not protect yourself from others and IP perspective and will not protect your customers, as well.

I think, I like the way you mentioned about shift left, so as we have shift left with so many things, you know, like, automation security, when things like that, I think privacy could also be one area where we can shift life and do better planning earlier. So one thing is about company collecting the data for their own purpose, right? I think these days, we can see a lot as well about data being shared with other third-party apps or other users.

So they By sharing. I think it's also one thing that we can discuss a lot about today. What do you think about this aspect companies? Collect data? And then it can share with other people. You can think of it like the Google having content screen. We will share your data to this third party apps, or maybe even like some of the apps doing so as well. So what will be your key message here about data sharing do things?

You know what happens in Vegas may stay in Vegas but very little that happens elsewhere stays in that location. So that's number one. I'm sure I could have learned that joke a bit better but the general Point remains that Need him data leaves your system, that is data sharing. So you turn on your TV and open the Netflix app. There's a bunch of stuff about you going to the Netflix or is now this is not creepy at all because Netflix needs that data. They need to understand where you live.

Are you, who you say, you are your device ID or internet connection, your browser type etcetera, because the streaming experience has to be customized. It's not like a DVD, which, by the way, the Netflix's folks shut the business down, right? So, everything is now online from a streaming perspective that is data driven, the problem starts, when that data now gets shared and useful other, Purposes.

When you collect that data as a company and you give it to third parties without an understanding of what happens to the data once it gets there, does that third-party have good privacy security practices, is there an attack possible in the middle while the data is in transit? Does number two for me, the biggest risk for third-party sharing perspective. Is what happens when the data you shared the data that exist

on the dark web the data. The vendor may have all which combined together to fundamentally change the risk calculus. Remember, we talked about risk analysis and the beginning stage of data collection, right? We talk about classification. Inventory tag, Labeling Etc. That happens once or twice in the company's history. But then what happens is once that data gets pulled with other data, the risk factor changes completely for people, listening

to this podcast. You guys should Google Mitt Romney Twitter account, so MIT team It r0m. Anyway, Romney Twitter account, Governor Romney or Senator Romney is a former US presidential candidate. He is a high place to official in the US government. A very famous presidential candidate, a very successful Venture capitalists he mentioned to a journalist I think three or four years ago that he has a private Twitter account So he has a public procurement because he works for the u.s.

government. But he also mentioned, he has a private Twitter account, he didn't mention the handle and a journalist who listen to that interview was able to identify within a few hours want that Twitter account was, and that was based on information about the Governor Romney that she had, how many kids he has, what his business ventures? Were what his history is including, where he served as a missionary, for his church, in his younger years based on Purely that piece of information.

She was able to figure out the account. Now, this is somebody who was not a computer science engineer, this You don't have privacy domain expertise, and she was able to figure out within two hours. Think about what we can do to somebody's anonymity, somebody's identity, somebody's physical safety at scale with massive algorithms, massive compute power, right? So I think that is kind of the challenge when it comes to data sharing. As I mentioned before, data is

not static. It is a living. Breathing organism data is not like tax law. That only changes once every generation data changes. Every single moment, your data. My data is changing as we speak as more words come out of my mouth and can transcribe on your system, right? So I think what people People typically don't get from a sharing perspective, is they go after hacking, they go after exploration, they go after a

tax. But the real risk is what happens to the data and what happens to it without any malfeasance intended by anyone or what happens based on decisions that were made, two, three, four, five years ago, that were totally legitimate decisions, based on what we knew at the time, but with the Advent of new technology, new algorithms, new manipulation systems, new AI Etc. The fundamental risk calculus has changed and it's very hard to reverse those decisions because the cats are the

daughter. Point, right? And I so want to discuss from the end users point of view. I find sometimes we are at the disadvantaged position, right? So we all these, for example, if you see consent screen that an application wants to access your data from Google, for example, there's no option where you can say, no, if you say no that, basically that means you can't use any of the pictures from the apps. And also, for example cookies.

Now we have all these pop-up, but most of the time actually, the option is like accept cookies, right? So I think sometimes the end-users is at this Age, like not having a good option, not to share their data consciously. So what would be your message here for people? Maybe for end-users about thinking before we actually give consent to our data. So this question going to goes into the legal term for a little bit.

So I'll be able to provide a very limited answer because when consent is required, how it should be collected. The clarity of the copy, that is more of a legal question. And just as the attorneys, don't teach me how to write code and build services and create metrics. I probably shouldn't be Moonlighting as an attorney anyways. What I will say is from the engineering perspective, from a tool perspective, it is critical to ask yourself. Are you giving the customer and

enough information? Are you giving the customer too much information? Are you giving the customer? I'm an informed choice because at the end of the day, this is a combination of the tools. You build the copy in the language, the clarity of the language itself, and the clarity and the Integrity of the policy that's behind it. Right? And honestly what happens is people have to go through their life on a daily basis.

As I mentioned before, I don't remember ever reading or the details of the credit card statement. That gets sent to me. I pay my balance in full every single month and my assumption is everything will work out correctly. If I'm paying member bill in full, they'll be no interest charge, no late fees charged. But there are people who may not be able to pay the full balance in for whom something in those policies might actually mean something. So, this is not just about

privacy or security. It's about the complexity of the law. It's about sort of the details in there back. When I became a naturalized US citizen, I was told multiple times and if there was ever a misunderstanding of anything, it was my responsibility, as if I'm supposed to single-handedly, understand the complexities of immigration law, that was Asked in 1965, my parents were not even double digits. From that law was passed and yet I'm supposed to understand every single detail.

So I think people are honing in on privacy and consent a little too much because this larger challenge between when it comes to the disconnect between the people building the tools and the people writing the laws, the people who use the products and people who push out the policy, there is a significant disconnect that did not begin with privacy.

The challenge is privacy is much bigger simply because of the volume of data, but I think we have to as a community figure out a way that the people who build stuff and the Fluoride these policies are in the same sort of contextual framework, as the people who say yes or no to these policies.

I don't think what they are. I don't have an easy answer right now, because as I mentioned before, this challenge predates, the emergence of privacy and security, as risk areas, thanks for your valuable input. So in terms of the data that we collect, you mentioned a couple of times you need to do recent analysis, do classification and in your book and latest chapters. You also talk about privacy maturity model, maybe if you can give a glimpse, how should people start categorizing?

Classifying, the data that they are collected in the company and what kind of things that they could aspire to build as a privacy maturity model within the company. So let me give you a very specific example, right?

You want to make sure that your categorization of data is as contextual as possible to as an example just to stick with a Netflix. Use case, when you collect customer data as a streaming platform, you could make the argument that somebody's IP address is very sensitive location data because you get their IP address. You could pretty much identify where they live and then you can

infer from their gender. Or the erase from the streaming data, you might be able to infer other details about them, things like that, if you use their IP address only for the purposes of personalization, that's a challenge. But in that case, if you think about it, purely through the lens of risk, IP address should be very, very sensitive data which means collect and delete quickly minimize access things

like that. But if you only use the IP address for security purposes to check from a DDOS perspective, maybe it's better to have that data in a separate database, keep it for a long time to study Trends and patterns. But minimize access, if you collect IP address from And they live in New York City where it's very densely populated and it's very hard to hone in on somebody's specific location. Maybe the IP address is not very sensitive because it's hard to

identify someone. But if you are like my father-in-law, he lives in a small town of 600 people. He genuinely believes the government is trying to keep an eye on him. He's one of those paranoid type of people, maybe, in that case. It is very sensitive because there is an individual who's concerned. But also the identification risk is very high. The other example is, if you could collect somebody's IP address, get consent for collection but lump that IP in a

group of a lot of people. So that identification risk for individual users is very low, then the risk goes down. So, when I'm generally saying, is, when you collect data before you categorize it before you inventory it and tag it there are decisions. You can make to the data about the data, that might impact. How seriously you treat the

security or privacy of the data. You can reduce the risk, by doing things, like aggregation, perturbation data, office station, or some other modality of verification of data, you can increase, in which case you can keep the data for a long time. In other use cases, you can collect the data and not changed at all. In other words take on the risk. Identification, but keep the data for a very limited period of time minimize access in which case the risk goes down.

So, there is a constant tug-of-war between the Precision of the data and the retention of the data, the longevity of the data and the Precision of the data, right? So you have to sort of see what that balance, reflect View, and then balance may change on a day-to-day basis week-by-week basis, depending upon the volume of data, you have your risk appetite, the nature of the customer, the kind of data the stage of growth. You're going through the country, you're doing business in.

So what is totally fine to do in Thailand may not be totally fine. And in Germany, for example, different, histories, different risk, tolerance, different privacy sensibilities. So privacy is very contextual it is very visceral. So you have to make sure that the tooling and the processes that you built for. It are responsive to that complex nature of privacy, thanks for such elaborate answers. Just by looking at IP address itself, there are so many context where it can relate to it.

For example, is it very sensitive for some company, or for some users? So, these things definitely are not abstract, it's 100% always applicable to many companies, many users. Sometimes think within your context how the data could be used or misused and how do we protect it right classify protected and maybe even thinking about storing it differently from people not to get access. By the way, I appreciate you saying them as has an elaborate that's a polite way of saying

that I talk too much. I appreciate you, you deploying euphemism a little bit there, right? So, nice on. As we go to the last part of the conversation. There's one question that I would like to ask you, which I asked to all my guests. This question, I call the three technical leadership. The prism. So think of it like you want to give some advice to people here so that they can learn from your journey, they can learn from your experience.

So what will be your three technical leadership wisdom to share here in sham? So when it comes to technical wisdom to the extent, I have any. I would say that when it comes to fixing for privacy and security it is no different than any other Innovation think of privacy as a product. Sometimes people who work in privacy and security, make the mistake of thinking of privacy and security as a cause as a moral issue.

Now it is those things your decisions when it comes from data, could affect somebody else's. They would affect somebody's preferences, they would affect somebody's physical security, right? So it is a moral cost, but that is the beginning of the conversation. If you went to any corporate CEO, they will tell you, we care deeply about privacy and security. Most important thing they will also say we care deeply about growing our business and keeping

our employees. Well pay most important thing. What happens when there is a conflict between those two wife is about making choices, right? So recognize that and recognize that, whether it's privacy security, misinformation, AI fairness, Equity, whatever your causes they are looked at through the prism of the business, So when you make the case for funding for tooling, ask yourself, how do you make the case in a way that responds to the needs of the business?

Now there will be examples where it is critical to do the right thing from privacy and security perspective. No matter the business cost, like you would not hire an engineer who says it is, okay, to say bad things about people based on their race. You would never hire somebody

like that, right? Even if they happen to be a very good engineer from a coding perspective, but in some cases, there are choices that are very critical to make but that is not true in every use case like you don't have to run privacy and Security in a way that hurts the business. If you hire an engineer, who does not speak very good present talk very well. You can coach them from a communication perspective so it is one thing for you to say, I'm

not going to hire an engineer. Who has bad morals, which is exactly the right thing to do. You should hire somebody like that but you can't say no to everybody who is different than you. So you have to have that level of judgment when it comes to privacy and security, you need to be very deliberate about telling the business we shouldn't do this because of privacy or security issues. No matter the cost of the business but there are 50 other cases where you can say the business want sex.

But if you just do x a bit differently, we can get the right privacy outcome. And in the long run, that's better for the business. Anyways, so try to recognize that there is sometimes a moral cause we made, but a lot of other cases, there is a business sensitive case. You can make that will make the right case for privacy and make the right case for the business as well. So that is my lesson, a lot of Engineers often get extra careful and they heard the business with unnecessary

process. And in some cases they become extra careless and they heard the business because they didn't do the right thing. Recognize when it's important from a moral perspective, when are you doing too little? When I doing too much, my lesson to engineer's is ask questions, seek the So, the legal team, the comms team document things whenever possible, but if you have concerns say something, the worst thing is, maybe you will ask the wrong question of the

wrong time. There is a lot of forgiveness in my experience from asking the wrong question or taking initiative, there will be a lot less forgiveness. If you knew what the right thing was installed into it and I have run my career the same way. I ask questions, I do my research, I'm wrong. As often as I'm right, and I'm still learning as well. This is a learning experience for me as well. So be humble, be creative. Be ethical. That's my advice to Engineers.

As I would give the same advice. Ice, no matter what question you asked me privacy or otherwise the other advice I would give is, don't wait for regulation, my general. My big frustration in life. Honestly, when it comes to Engineers, is Engineers have allowed themselves to be painted into a corner. Now, if you watch movies, people who play at Ernie's people who play every other profession gets represented in a very, very glamorous way.

I don't remember the last time, an engineer was cast in a TV sitcom or in a movie where the engineer was sort of the leading War. I don't know if you watch the u.s. sitcom Friends from the 1990s, the only person that was a borderline engineer. There was Our skeleton play by David Schwimmer and they made fun of dinosaurs. They made fun of him as well for his profession. So, I think, Engineers often accept the idea that their job is to write code and do what somebody tells them to do.

No, I think engineer should be willing to understand what they are doing. When data is extremely complex, it has implications upon people's lives, but it also makes the company a lot of money. So don't wait for the regulations. We should wait for the requirements, but don't always wait for the regulations if you feel like you can make a more intelligent way, build a more intelligent tool, come up with a more intelligent process to protect privacy.

Make the case for it. Tell people what will happen this way versus that we make the case Based on data, make the case based on scenarios make the case, based on business impact and recognize that engineering is business from technical lens and the businesses engineering from a non-technical ends, the two are connected. So, my advice to engineer's would be think about somebody else's data as if it were your own and ask yourself, how would you build the right tool for it?

So don't wait for regulation. Like if your house was on fire, you wouldn't wait for the fire alarm to go off. If you can see the fire, if you can feel the heat, you're probably run for the door. Hopefully fixing privacy is not like running out of a burning building but ask yourself. Why not do the right thing today?

Rather than waiting, for the regulation was, it is entirely possible that you have discovered something that The Regulators have not, you can build the right tool and inform the next regulation that will benefit a lot more people. So this is a chance to do the right thing for your business, for your customers and also, for your own career as well because you've done something, nobody else has done so far.

Wow, I find it a very insightful and inspiring message for people to start thinking data privacy as a product. That's the first thing, right? The second thing is don't wait for regulations. So whenever Engineers deal with the data always think about privacy first write and think as if like you are the users who are sharing the data with the company, right? So I think that's a real key message. It's been a very exciting conversation Nation from people who would love to connect with

you. I'll see you more about data privacy or learn from your courses and things like that. So is there a place where they can find you online? Yeah, they can go on LinkedIn and I'm the only person in the universe that I know of whose first name is Michelle. And the last name is, Area. So there's an irony that the Privacy guy has a name that nobody else has. So I have zero privacy online in that respect. But yeah, I'm on LinkedIn. I get a lot of messages there.

My book is available on Amazon and I will say all proceeds from my book. All proceeds from a LinkedIn courses from royalty perspective, go straight to Animal Welfare, which I care deeply about. So if people wanted to buy the book, take the courses, they have the benefit of building their own skill sets protecting their business and their customers but also donating money to charity indirectly as well. So any help in that would be much.

Encouraged much appreciated. Wow, that's another great cause that you're doing with the Animal Welfare. So for people who want to check out nation's resources, please do so I can just make one more point. I care deeply about Animal Welfare. I care about helping dogs, get out of high, kill shelters a cause very close. My heart is elephant conservation. So if you travel all over the world don't ride elephants, don't use elephants in circuses,

they get beaten up horribly. So it's a cause very close to my heart. So I know this doesn't have much to do with privacy but if you think about the world, we live in right now whether it's addressing, the next pandemic, water, shortages, air pollution ecological conservation,

elephant welfare. They're all connected to each other and if we have learned something from covid in the last two or three years, it's about how the problems we will face in the future are not going to be problems that we can easily fix in one Fell Swoop. It's a very connected intermingle complex ecosystem so I can replay about elephants and animal rescue and the environment in general.

But it's a larger issue and it's going to be something that's going to be very important in the years to come just like privacy and security are from an engineering perspective. Thanks for the important plot. Important message for people, I didn't know about all these elephant being beaten up and things like that. So I think that's I also new information, maybe for some of us. Sure, thanks for sharing that everybody. Thank you. Yeah. It's been a pleasant conversation.

Thank you so much for this talk. I learn a lot about data privacy. So thank you again nation. Thank you. Thank you for listening to this episode and for staying, right until the end if you highly enjoyed it. I would appreciate if you share it with your friends and colleagues who you think would also benefit from listening to this episode. And if you are new to the podcast, make sure to subscribe and leave me your valuable review and feedback.

It helps me a lot in order to grow this podcast better. You can also find the full show notes of this conversation on the episode page at tackling Journal .f website, including the full transcript interesting. It's and links to the resources mention from the conversation. And lastly, make sure to subscribe to the show's mailing list on technology. Not deaf to get notified for any future episodes. Stay tuned for the next technology, another episode. And until then goodbye,