Data Privacy as a Competitive Differentiator by Jarell Oshodi
A Comprehensive Guide to Data Privacy Compliance: Insights with J Oshodi
Meet J Oshodi, a seasoned privacy professional with a Bachelor of Science from Hampton University and a JD from Mercer University. As a certified Information Privacy Professional and a veteran attorney in the field of Data Governance, Information Security Privacy, and FOIA over the past ten years, Oshodi also runs his own law firm specializing in protecting clients' data and providing privacy training and workshops.
Mapping Your Data: The First Step To Privacy Compliance
The discussion begins with a crucial part of privacy compliance - data inventory mapping. It involves identifying the data you're sharing, knowing the data owners, and being aware of the retention schedule. This could be done via an Excel spreadsheet or through automated software.
The importance of a data inventory map cannot be overstated as it significantly helps minimize data, thus reducing risk. It proves critical during data incidents or breaches.
The MIND YOURS Privacy Framework
J Oshodi discusses the MIND YOURS privacy framework, which entails the following steps:
- (M) Mapping Your Data: This involves creating a data inventory map for your system.
- (I) Implementing Privacy by Design: This implies being consultative with data privacy professionals or attorneys throughout the product development process.
- (N) Notifying Third Parties: It is essential to keep vendors, contractors, and customers properly informed via privacy notices or policies.
- (D) Developing Privacy Operations: This step involves training, creating privacy champions within various departments, and understanding the importance of privacy.
- (Y) Understanding Contracting: Ensure your vendors protect data as well, if not better, than you.
- (O) Conducting Privacy Impact Assessments or Data Protection Impact Assessments: This is for understanding the risk involved when sensitive personal data is in the picture.
- (U) Undertaking Breach Response Preparations: You should have a data incident response plan and set procedures in place.
- (R) Regular Data Security Functions: This is to ensure that proper controls are in place to protect your data.
- (S) Staying Updated: Always stay up-to-date with privacy compliance and best practices.
Data Privacy and Career Preparation: Insights from J Oshodi
When asked about career preparation in the privacy space, J Oshodi mentions that certifications like the CIPPT or CIPT can give employers confidence in your commitment to privacy. But experience is usually preferred over certification. Key skills required include conducting privacy impact assessments, research and writing skills, problem-solving, and a thorough understanding of privacy laws and principles such as the GDPR.
To conclude, no matter your role in the data privacy field, being resourceful and staying up-to-date with changes in privacy laws is paramount. And always aim to uphold the underlying principles of privacy compliance and protecting data subjects' rights.
For any further information or queries, you can reach J. Oshodi via LinkedIn, visit his personal website, or drop an email at [email protected].
Video Transcription
Uh My name is J Oshodi. I received um my Bachelor of Science from Hampton University. Um my JD from Mercer University. I have a certified Information Privacy Professional Certification. Um And I also have the SI M which is for um managers over the past 10 years.I've been a licensed attorney in Georgia and I have been working in um data governance, uh Information Security Privacy and Foia. Um And I also found that the Law Office of Jello Shy, which is a law firm dedicated to protecting clients data and providing privacy training and workshops.
Let's get started. We are going to discuss the mind yours privacy uh framework. And we're gonna start with the most important part of privacy compliance, which is mapping your data. Um It's important that you have a data inventory and you're able to identify what information you're sharing what personal data um is in your system who owns it. Um What's the retention schedule? It can be an Excel spreadsheet, it may be automated. Um There are all types of great resources and software out there um to help create your data inventory map. Um And what's great about the data inventory map. It's helpful when trying to minimize data, which helps to lower the risk because lots of times we have data that we don't need, maybe the retention schedule, um shows that we should have only had it for five years. It's been 10 years. Let's, you know, let's dispose of that data. Um Lots of times we have social security numbers and we recognize based on a legitimate purpose, we don't really need social security numbers or for whatever be whatever um reason we are storing lots of information and we recognize we don't necessarily um need.
So inventory map is most important when it comes to data privacy compliance and also when it comes to uh a data incident or a data breach, which we will get to um at the end. Next, we have the eye and mind yours. Um The eye is important for implementation of privacy by design whatever product or service you're providing is important as you're consulting with um data privacy professionals or attorneys making sure that you are keeping privacy uh in mind throughout the entire process. Uh As you are building a product, you may recognize that you may be collecting unnecessary data. Um You may realize that consent is required for certain types of information um through uh through your privacy professional, your privacy professional may inform you that um it looks like you'll be marketing to clients in Europe. Um GDPR applies here. It looks like you'll be marking marketing to clients in California and uh you have gross revenue of, you know, 20 th uh 27 or $30 million basically above the threshold. So C CPA that California's Privacy Act applies uh different things like that, that um it's important to reach out to privacy, to take certain considerations um to keep certain privacy considerations in mind, especially when it comes to the data life cycle of personal data, which is the collection of data.
Um the use of data. And I'm saying data, I I mean to say personal data. So per data that involves uh personal information, like names, social security numbers, um race, ethnicity, um passport numbers, lots of identifying information, any information that can identify an individual.
Uh So back to the life cycle of personal data, uh storage use uh archival and dis and the disposal of data. So it's important to keep privacy in mind when it comes to the um like the entire life cycle of data. And that's what we mean here by implementing privacy by design, it should always be um in the back of your head. Um The N stands for notify, it is important. It is vital that we are notifying third parties. Uh like our vendors contractors. It's important that um employees have proper privacy notices and clients or customers have proper privacy notices, a privacy notice or privacy policy uh is informing um the data subject what information you're collecting about them why you're collecting it, how long you'll be collecting it.
Uh The reason that you're collecting it, there should be a valid business reason for collecting that data and also what security measures you'll be putting in place. Uh And finally, uh it's important that privacy policies inform data subjects of their data subject rights and it varies among different um sectors. Uh There are sectoral laws like H IP A um which applies to um personal health information. Uh There's ferpa which applies to educational uh entities.
Uh different uh states have different privacy laws, different countries have different um countries have different privacy laws. So depending on the um sector or country or state, the data subject rights uh may vary as well. So, notification is very important uh informing people about their, maybe their right to access their data, the right to correct their data or even maybe the, the right to erase or the right to be deleted um in certain instances then we have DD is developing privacy operations.
You wanna make sure that you have trainings in place. You wanna make sure that um you have, you're speaking with your board and they understand the new privacy developments that are coming into play. You wanna make sure that um you are creating privacy champions in the marketing department.
Hr Finance um Procurement. Uh it making sure they understand uh the importance of privacy, making sure they're not at, you know, they're reducing the risk of fines and things of that sort. You can create like things like flow charts, especially those are very helpful to benefit um so to benefit them and give them the knowledge, to empower them, to understand how to keep uh how to minimize data, how to protect the personal data of others. Uh You, we have understanding contracting. It's important that especially when it comes to vendors, that vendors are um vendors are protecting data just as well if not better than you are collecting the data. So if the vendors are, you're sharing data with vendors and they are utilizing it for their benefit and for the benefit of your company, it's important that they have the same administrative technical or privacy controls in place. Whether it be the proper firewalls and encryption may maybe they need to re their retention schedule, they need to retain the um information only for a short amount of time, making sure that they understand uh what they agreed to in the contract, risk assessments, privacy impact assessments.
You may have heard about them, data protection impact assessments. Those are vital um for understanding the risk that's involved. And especially when sensitive uh pi I or sensitive personal information is involved like social security numbers or racial uh or um medical information or Children.
Even those types of systems that are collecting, that type of data requires even higher controls in place to protect it because there's a greater harm to um that could possibly occur if that information is breached. And finally, the security function, this is where you need to make sure that you have proper data, um, breach response procedures in place a data protection or a data incident response plan. Uh and even conduct tabletop exercises to make sure that people understand what they are supposed to do in case there is a breach or incident. Um And here is everything lines up and I will definitely send this to whoever uh is interested in uh keeping this information to stay abreast of privacy. Best practices I can be reached at linkedin.com, I can be reached at Jarre oshodi.com and I can be emailed at Jarrell at J oshodi.com. Does anyone have any questions? I believe my time uh is ending but feel free to reach out to me to send me any questions. Um I'd be happy to respond. Yes, I can, I wish I could show it and show myself at the same time so I could see your questions. I believe it's kicking me out. Let's see.
So if anyone has any questions or would like me to review anything, I could definitely go into depth about any topic that anyone would like. If not, I hope you all um will reach out to me to um, if you ever want to talk more in depth or find out more uh for your organization, you're welcome everyone. I can see the chats again. Ok, so I see that I have no more questions. Um If I knew it would have allowed me to stay up, I would not have gone as fast, but uh I will stay for another five minutes. I'll just turn my screen off and anyone that has any more questions, uh feel free. I have a question. What are your insights regarding data privacy and career preparation? So, in my opinion, if um someone is interested and new to privacy, the um C IP P or the C IP T, if you're more technical and also the C I PM, if you do have the um managerial role are beneficial for trying to get a job. Um It gives employers um more confidence that you're interested and you're committed to privacy and that you've gone the extra uh step, but it hasn't been required.
Um I've been in the privacy of space, I'd say about 12 years now and I, I got the sip maybe five years ago. Um And I, as an employee, as someone who hires, I would say I would much prefer someone with experience, someone that maybe uh has experience in uh completing privacy impact assessments or experience in a data breach response and incidents. Someone that uh has great research and writing experience.
I also offer a training course um for uh people that wanna pivot into privacy as well where I, where I teach them, I take, I spend two days teaching them different. Um privacy skills and we uh do a resume redline review and a mock interview as well just to help them prepare. Um because we in the field, it's just great that you are resourceful. You know what I mean? You're enterprising, you take the initiative and you can figure things out because privacy is always changing. You know what I mean? It's always changing. We don't, no one expects you to know every privacy law, but you should be able to be resourceful. Um And, and be a great problem solver, understand the best practices of privacy, of course. And all privacy, all data privacy laws are based um on the same uh foundations, I would say, I would probably say 99.9% of um of privacy laws are, are based on um f if anyone is familiar with um F IP P, the fair information practice principles, it just varies on degree. And I would say Europe's GDPR may be, it may be the, the strictest privacy policy.
But if, as long as you understand the principles of privacy compliance, protecting data subjects rights, allowing them access to their rights um when required uh minimizing the use of data consent uh when it comes to other people's um personal information. Um Things like that.
I think those are the best uh those are the best ways to prepare for the career and thrive in the career. OK. I don't see any more questions. So, thank you. So much and I'm going to end the session.