Daragh O Brien(00:00): Hello everybody. And welcome to this, the latest edition of the castle bridge podcast, where we want you to talk data to me. Today it's just myself and Katherine, everyone else is doing still fixing the world in various ways, but there's been a lot happening in data land over the past couple of weeks. And we thought it'd be worth doing a recap, but not in the way other people do recaps. Cause that's boring. And one thing I hate is a bandwagon. So yes, we will be talking about trims to later on. We'll be four. We start talking to the trims too. It's worth putting some context and laying some, some groundwork to help us understand what actually is going on. Dr Katherine O’Keefe (00:44): Yeah. So instead, what we're looking at is data governance, our bread and butter. Daragh O Brien(00:48): I suppose the first question to ask Katherine is what is data governance when it's at home? Dr Katherine O’Keefe (00:53): That's a fun question because if you ask any data governance, professional, what data governance is, you're likely to get more than one definition. So one of the definitions we like to use in castle bridge is looking at the w questions for who can do what, with what data in what circumstances and in what situations so looking at all those of w questions, looking at a system to make sure that we know those w questions. Daragh O Brien(01:28): Yeah. And, and that that's the classic joke that you refer to it as the princess bride effect, but it's one of the classic problems with data management in general is, is the lack of often the lack of coherent definitions of things. But that's why I like falling back on the definition data governance from the data governance institution got Franklin palace. She came up with this definition with Bob signer and John gladly about 20 years ago. Data governance is the system of decision, rights, responsibilities, and accountabilities, but who can do what with what information where, and under what circumstances Gwen has in the past described data governance as being about how you define the rules of how to decide when to decide so that you are, your framework is in place for making key decisions. And part of that governance framework that organizations need to put in place for data is having the, the, the pathway to escalate questions around procedure and around decision making rules, rights, responsible responsibilities, and authority. And I think that is something that organizations often lack when we're looking at data. And one of the key things is you don't have to be a big business to require data governance, because it does impact on your strategy and how you execute as an organization. And we're dealing with this ourselves attorney, Katherine, around our education products and the governance of data and definition of data in as we build out our education business now, right. Dr Katherine O’Keefe (03:03): Work. I mean, a lot of fun with that. Yeah. We do have to eat our own dog food here. We are making sure that we have clear understandings of what it is we're building who can do what, what that means and how we're describing the things that we are building and making sure that we can actually find what we need to find. So you can find what you need to find. Daragh O Brien(03:25): Exactly. There are moments though, when it is very much “Father Ted Eurosong” territory, with Dougal and Ted rehearsing. And I'll put a link up to a video of that so people get the reference who aren't necessarily familiar with Father Ted. And again, another example of data governance and action using terminology or concepts that people might not be immediately familiar with. It's important from a business data glossary perspective that you explain those things in terms of data strategy and the role of governance in a data strategy context. Peter and I have talked about this on previous podcasts, Katherine, but be worth getting your take from your, your working involvement with clients. How important is it for there to be clarity on the decision making roles and responsibilities Dr Katherine O’Keefe (04:12): Incredibly important? One of the things that we do tend to see quite a bit is there are lots of small decisions made that affect much larger decisions, but if there isn't clarity on the greater strategy that we all need to have and who should be making those decisions, things get missed. We all go and running off into different directions. We might have the same initiative happening in multiple places and the same organization, all doing things differently. So getting on the same page as to what we want to do and who's allowed to do what is really important. Daragh O Brien(04:45): Yeah. And, and that goes back to the fundamentals of strategy and execution. Ultimately if you don't have good governance over the things you're doing in the organization and data and information are key assets, you will have, particularly in a, as organizations move to more online ways of working. And as we start implementing new technologies, new ways of do things in organizations, the data becomes a critical component there. If you haven't got clarity on water, it easy we're trying to do as an organization. And if you, Dan, haven't got clarity on the decision, roles, rights and responsibilities around the information related processes, not just the information, but the processes around information, that's going to be a barrier to you executing on your strategy. And we've got a case study on the website about a couple of case studies in the website. Now actually around a data strategy definition, all of which have a data governance component and data definition component to them. Data governance and data protection, Katherine, why? Dr Katherine O’Keefe (05:48): Well, you need clear governance around. Who's allowed to do what with what data in order to actually have data protection. That's when it comes to a very large amount of what the regulation is about is ensuring that there is proper governance around the rules. So people not only know what they're supposed to do with data, but who is allowed to make what decisions and have what access to what data what's allowed to be done with that data under which circumstances. So it's all governance and quality. Daragh O Brien(06:21): What you're saying, Katherine then sounds very much to me like in order to implement and execute your, your obligations under data protection law, you need to ensure you have appropriate organizational technical controls in place that are clearly defined, identifying who can make what decisions when, in relation to personal data and data, that could be personal data. And that there is some form of structure in place that ensures accountability for those decisions and actions. Is that what you're getting at there? Dr Katherine O’Keefe (06:52): That would be just about exactly. It, Daragh O Brien(06:55): It's just crazy talk, who's doing that, but no, it's exactly what you have to do. And that's why in our infamous and much ripped off one slide summary of GDPR that we've been using since the Dawn of time, we highlight the importance of governance in terms of the role of the data protection officer or equally. If you don't have a data protection officer documenting while you don't have a data protection officer and keeping that under review, which again is the decision making process around roles, responsibilities, and accountabilities for information related processes, add all the other things you need to do around DPIA is privacy by design, all of those things you want you to be putting in place that is all at the heart of it, a management system and a governance system that needs to be put in place, which kind of brings us to the wonderful world of “Schrems 2 - the EnSchremsening” (because all sequels need to have something like that). Diehard 2 was “Die Harder”. This is “Schrems 2 the Enschremsening” and I think this is a really good example of governance in action. And it's a really good example of a regulator taking steps to ensure clarity on decision, rights, roles and responsibilities, and also the fundamental tests that need to be applied to that decision making. Dr Katherine O’Keefe (08:16): Absolutely. So one of the things that everyone is talking about is the data transfers aspect to the U S when it comes to the end result of the decisions that the regulator has to make a lot of what the actual European courts of justice ruling does is answer questions around governance, who has, what decision making rights under what circumstances about data transfers to the U S or other countries. So everyone's of course interested in how this will affect them personally, but ultimately this is a ruling about procedure and governance. Daragh O Brien(08:57): And that's a key thing like that. That's something I pointed out last year in a blog post on the castle bridge website where I went through all the questions and I, I, I broke out some of the questions cause there were, there were a couple of questions nested together, but every single question that was raised from the Irish high court, the European court of justice in this case was around defining the fundamental tests and defining the scope of authority, all the national supervisory authority and of the European commission and of the European court of justice. When looking at things like cross border data transfers and standard contractual clauses and privacy shield. Dr Katherine O’Keefe (09:38): So basically we have a set of questions regarding who has the authority to make what decision about data transfers under which circumstances and what rules are in place to ensure consistent decision making. Daragh O Brien(09:53): We have a ruling from the European court of justice that clarifies how to decide when to decide and who can decide, which is significant. And one of the key things from the European court of justice, as it reinvigorates the importance of the data controller in the process, particularly in the context of standard contractual clauses, that this isn't, this isn't simply a question for the regulators. This is something that individual data controllers have a responsibility for from a decision making process, point of view, in terms of who their suppliers are, where their data goes and what is the basis they are going to rely on to justify transfers of data, to different jurisdictions. And that's one of the key things that we need to be looking at in our, in our book, Katherine, we have our framework on free information management information strategy based off the Amsterdam Model. And we have the stakeholder segment in that, the information outcome and process outcome, one of the things that things that's annoying me slightly over some of the recent commentary on the Schrems 2 decision is that everyone's focusing on the information and process outcome piece. No one's looking at how the sausage got made. Well, the recipe for the sausage is a really important recipe Dr Katherine O’Keefe (11:06): And that recipe is exactly what the decision is. And it's looking at making sure they're very clear decision flows and that we know at what stage those decisions can be made and who can do them. It makes very clear what, where the accountability is and for controllers, that accountability is doing due diligence so that you're not using standard contract clauses of fig leaf. You know, basically saying you can't just do a tick box exercise and pretend that these contract clauses will do something that contracts can't do. So it is interesting. Daragh O Brien(11:45): So, so what you're saying is that we can no longer simply slap some lipstick on a pig and make it queen of the fair? We actually have to do some diligence there. I think that's one of the key things is, is, you know, all of this, the big fall that from this is the clarity that the European commission is answerable to the European court of justice. And the European court of justice has reiterated the key tests that need to be followed for making determinations on things like adequacy frameworks, and also the question of standard contractual clauses and the role of individuals, individual data controllers and the supervisory authorities. And that has to be welcomed. It's not a surprise though. Dr Katherine O’Keefe (12:35): It's not at all a surprise. It is very interesting to see how clear the Irish data protection commission has been insane. Thank you. We really wanted this clarity. And again, this is something that the DPC appears to have been very methodical about in going to the European courts of justice to ask for clarity and then welcoming that clarity when it is delivered. So it looks like it's been a very strategic marathon running strategy rather than a big grandstanding sprint. Daragh O Brien(13:09): Governance. Isn't glamorous. And for this is something I've struggled with over the past 20 odd years, doing data governance and data quality and data strategy stuff, the sexy, shiny stuff is always a new technology, the new toys, the new stuff that the it department or the marketing department or the strategic digital digital transformation department want to bring into an organization. What the actual stuff that's really important to making everything work is the governance piece. One of our projects over the last quarter was with a large organization that was looking to implement on artificial intelligence solution to help speed up some of their processes and speed up their route to market in their particular industry. But we had to highlight to them that their underlying data was not fit for purpose. And one of the reasons for that was an ad hoc approach to governance, because you always have governance in organizations just to, to, to raise a flag on this one, Katherine and Bob Seiner and John Ladley would nail me to a tree if I didn't clarify this. Every organization has data governance. The only difference is some organizations have written stuff down and formalized it. What this organization had was a lot of accepted work arounds and fudges in its data because that was okay in a largely manual offline world, but they were looking to move more and more into a digitally enhanced and digitally enabled world with artificial intelligence, that data was underpinning everything. Dr Katherine O’Keefe (14:45): I think we can also tie this back to Deming because the governance that everybody has that isn't written is largely best efforts as opposed to clearly systematize. So people know that we're being consistent best practice. Daragh O Brien(14:59): Well, hang on a second, Katherine, we've gone from data governance to Schrems, to W. Edwards Deming in one podcast. People will be thinking we're going crazy, but we are. And you're absolutely right. Deming's famous quote about best efforts, best efforts, best efforts. Imagine the chaos that would reign if everyone simply went and did their best. And what governance is about is trying to reign that in. And this is something that I've been saying for a long time in relation to supervisory authorities and the occasionally unfair criticism that the Irish Data Protection Commission has received. There is nothing stopping regulators who want things done faster, doing things faster, apart from the fact that when a regulator makes decisions in an enforcement context without paying due respect and consideration to legal and regulatory governance environment, they operate within. When they don't do that, that's when we run into problems. That's where the information commissioner's office in the UK undermined their own investigation into Facebook and ended up having to settle with Facebook last October for half a million pounds, half a million pounds sterling, and Facebook have to take back all the evidence. I fear we are going to see something similar with their enforcement actions into BA in Marriott, which I've had a number of interesting conversations on LinkedIn recently with data protection professionals who want to count the ICOs fines of BA and Marriott as fines. They are not, they are notices of an intention to fine as part of an enforcement process, which means from a governance perspective, they are not fines. And when the process finally moves through that sausage machine, the sausage has been kicked further and further down the road over the past few months. I'm pretty much of the view that the big fines that the ICO was trumpeting for BA in Marriott simply will not happen. And it will be very quiet press release probably issued on a Friday, probably just before a Bank Holiday or a large sporting event to bury the news. Well, this is why it's really important that regulators take their time to do it right and work within the governance rules. Dr Katherine O’Keefe (17:17): Do you want headlines or do you want effective action? Thankfully it looks like with the clarity in procedure that Schrems 2 gives regulators. There is a good framework for taking effective action when it comes to cross border data transfers, but that's something we need to look at for regulators in general, we need to see clear following of due process and procedure so that the decisions that are made are enforceable and will stand to challenge. Otherwise you don't have effective action. We can take that as well in general businesses that aren't regulators and see that there is good value in having clear process that people understand so that when there are issues, people know what decisions should be made and how they can make made on when there are complaints, they can stand over what you've done. Daragh O Brien(18:12): Exactly. It's also the Irish mammy situation conference. And the key thing going an Irish, mammy is an Irish Mammy will tell you, these are the rules. This is the parameters under which she is acting. When you step outside of those parameters, then an enforcement action will inevitably take place. You might not see it coming. You might not even realize it's happening, but once it hits you, you know you have been regulated by your Irish Mammy, what's your take on that? Katherine? Dr Katherine O’Keefe (18:42): The definitely seems to be the case. Although I would question whether all Irish mammies are actually very clear in setting out those parameters, but at least what we have with Schrems 2 is clear parameters. Daragh O Brien(18:55): Exactly. And that's the thing and effective Irish mammy sets out clear parameters and, you know, the parameters you're operating within, or at least you can infer them from past behavior and past action and bodies of precedent for the decision making process. And of course, one of the other aspects of that I've seen coming out over the past couple of days in terms of the commentary around Schrems 2 is questions about whether the DPC is taking it seriously. We're back to Irish idioms here. And Katherine, this is where your, literary studies probably come to the fore in terms of helping to explain to people what happens when the Irish seemed to be understating something. Dr Katherine O’Keefe (19:37): Yeah, it's not just the literary studies. It's also being an immigrant and trying to navigate a completely different cultural idiom to the one that I grew up in. But what I described as to Daragh in conversation earlier was the difference between a Irish publican, or a bartender, saying “Have you no homes to go to?” at the end of the night. Now this is very much an Irish idiom for “We are closing now, get out!!”. It may sound a little bit soft, but there's no question what the publican is actually saying. They're not asking about your housing status. They are telling you we're closed now, so leave. So I think what a lot of what we see in international discussion of the Irish regulators statements is not necessarily understanding the perennial cultural idiom of understating certain things, particularly when there is something very heavy stated behind it, for instance, calling World War II “The Emergency”, or a 30 long civil war “The Troubles”. When the Irish regulator says that there are questions regarding the legitimacy of something they are stating in a very Irish idiom that you're going to have to stop this. Dr Katherine O’Keefe (21:02): Now, Daragh O Brien(21:04): Ultimately, the way I summarize it, Katherine, is that if an Irish political leader came out and said that COVID-19 was just “The Sniffles”, we would all be expecting to die tomorrow. As a nation we pride ourselves on our understatement. So when the DPC comes out with their statement, when they are talking about this being a significant decision and this being something they were going to consider and look at, and that there was, obviously questions to answer. That's not fudging. That's sending up a on signal flare that things are going to happen soon, but they're doing it in a way that isn't prejudging the formal process. It is not the regulator coming out and making a definitive declarative statement or a decision because until the DPC has gone through the governance function of the investigation process, until they have made a draft decision and brought that to the European European data protection board for input and comments by other supervisory authorities, the final decision of the Irish DPC won't have landed. And if they don't follow that procedure, their decision is ultimately open to challenge, potentially on purely procedural grounds. And nobody wants to lose on a technicality. I'm not always the risk with any rushed process, but anyone who listened, I, as someone who grew up with an Irish mammy, and as someone who has grown up with the understatement, the statement from the DPC is actually incredibly powerful from an Irish perspective. Dr Katherine O’Keefe (22:36): Yeah. This was where, yeah. This was where learning to again, understand the language, making sure that we have a common language, getting back to that governance question that we had earlier, that we're all understanding you're using that word. I do not think it means what you think it means. No, it actually means that making sure that we do understand what's being said when certain words are used is very impatient. Daragh O Brien(22:59): Yeah. That's the key thing is it's also worth bearing in mind that, you know, Ireland will understate anything. It is deeply ingrained. And I saw someone recently on Twitter talking about the Schrems 2 decision being like Bloom's day for data protection, people that we'd all get together every year on its anniversary to, read choice passages from the judgment. Yeah. I agree with that person, because most the people who gather together on the anniversary of the judgment won't have actually read it and of those who have read it, most won’t actually understand it. Dr Katherine O’Keefe (23:34): Okay. Joyce. Daragh O Brien(23:36): Bloom's day is a really bad example when you're dealing with an Irish regulator. Dr Katherine O’Keefe (23:41): Actually, unfortunately, what you've said is very accurate most of the time. Yeah. Daragh O Brien(23:46): Katherine, you're, PhD in Anglo Irish Literature Literature is showing Dr Katherine O’Keefe (23:52): It's not my fault. Nobody's read Joyce. Most people won't have read it fully. But will have “CRTL-F’d” to what they think the important decision is rather than looking for the governance. Daragh O Brien(24:03): That brings us to another final closing point on this control F on governance and the Irish data protection act. I just want to close on this point, one of the problems with legislation, particularly when you were trying to drill through it, I'm trying to understand it, trying to answer questions in a hurry. And when you're reading a judgment, or when you're reading guidance for regulator or reading legislation is the control F problem, which is the technical implementation of “That word. You keep using it. I do not think it means what you think it means”. In a data governance structure, what you need to have clarity on is the meaning of things and the role of the actors and understanding in a particular context, are you one of the actors that this particular set of rules applies to? One of the key things we're we have found over the past two years with organizations, both from a consulting point of view, from a training point of view, but also from a data subject perspective is organizations that use control F to search the Irish data protection act and wind up in the base is for law enforcement agencies, competent authorities. They decide to rely on one of those sections for a thing when they're not a law enforcement body, Katherine, what's the technical term for doing that. Dr Katherine O’Keefe (25:33): There would be a few, one would be incompetent. Daragh O Brien(25:37): Yeah. The, key issue here is that it can result in you, if you're a data protection officer doing it, you have to ask, you would have to ask yourself immediately, do you have the specialist knowledge and understanding of data protection law and practice in the Republic of Ireland? Because if you're using control F to navigate the legislation and you're landing in part five of the data protection act 2018, and you are not the data protection officer for a law enforcement body or competent authority, like for example, at the ISPCA, then back away from part five quickly because you're in the wrong area. And what will happen in that context is if there was a complaint made to the data, capture information about your decision, and you've relied on the wrong section of the act to inform your decision. Well, the DPC doesn't have far to go in terms of making a decision against you. Dr Katherine O’Keefe (26:36): So context is important. And then that gets back to understanding what data is. Information is data in. If we don't, if you're not fully informed, you're going to have trouble making clear decisions. Daragh O Brien(26:48): Exactly. So to bring it all back to data governance, it's about clarity around the decision rights for roles and responsibilities in relation to information related processes that defines who can do what with what information when, under what circumstances trends too has given us clarity on some of those decisions, roles, rights, and responsibilities, and the underlying tests that are to be applied in certain circumstances. And when we're navigating the data protection act, it's important to understand who are we, what are we doing? And does this section of the act actually apply to us? And if not, we need to go back and where you from or understanding and look elsewhere to justify the decisions that we're making so that we're able to demonstrate appropriate organizational technical controls and accountability. I think that's everything for today. Katherine, do you have anything else that you want to talk about? Dr Katherine O’Keefe (27:44): I think we're, I'm running pretty long at this point, so it's good. Good to end now. Daragh O Brien(27:51): Okay. Well, we'll be back again next month with another episode of the podcast, look forward to hearing from you all then.