What you’ll hear in this episode:

• How companies in the U.S. are planning and coordinating around rules and regulations like the California Consumer Privacy Act or the General Data Protection Regulation
• What is considered classified, confidential, personally-identifying information
• Why customer demands regarding data security have evolved

 

In the age of WikiLeaks and the Cambridge Analytica scandal, data privacy and consumer data protection are more important than ever. There are some rules and regulations that data collecting companies have to follow, like the California Consumer Privacy Act or the General Data Protection Regulation in the European Union, but more than that, companies are seeing that their customers are really paying attention to data security and privacy in a way that they haven’t before. John Patrick, an IT Risk & Compliance Manager at Bridgepoint Consulting, says that data privacy and security policies “are becoming a requirement and not just an optional add-on.”

 Jessica Hamilton, CFO at ActiveProspect, says that the way customers view data has changed as well. 

“It used to be the very obvious sensitive data points like social security number and credit card data,” she says. “But with the new laws and legislations that have been passed, now it’s such a broader scope.”

She goes on to explain that now consumer data like names, email addresses and phone numbers are classified as confidential and personally-identifying information.  

Listen to the third episode of Growth & Scale Insiders to learn more about how the industry is changing and adapting to new laws, regulations and consumer demands. If you like what you hear, share with a friend or colleague! 

Growth & Scale Insiders is is a founding_media podcast created in partnership with Bridgepoint Consulting.

Host: Dan Dillard, founding_media

Guests: Jessica Hamilton, ActiveProspect

Kate Williams, Maxwell Locke & Ritter

John Patrick, Bridgepoint Consulting

 

Transcript:

this is a founding media podcast if welcome to growth and skill insiders I’m your host Dan Dillard on this series we will be exploring the constantly changing world organizational leadership and financial transformation today we’re diving in the world of data security and privacy with an ever more connected world this is a separate entity coming more and more important joining me is John Patrick and I. T. risk and compliance manager from Bridgepoint consulting Kate Williams they risk assurance manager from Max will lock in return and finally Jessica Hamilton CFO of active prospect let’s jump into our conversation before we talk about data security privacy I do want to go around the table just give highlight reel of our current roles responsibilities and it is in the background with it that that’s been done   John you wanna start saw sure happy to so I I am an I. T. risking compliance manager Bridgepoint consulting   I I started my career in the external I. T. audit nineteen buys re world and really enjoyed the comic client service   problem solving aspect of that then spent a number of years in   working for larger fortune sized companies fortune ten fortune one hundred and ninety complaints roles which is a different beast nam completely I’m sure yeah and and also did in that time owned a couple companies myself and and kind of went through the journey of security and privacy as well mmhm   but but really missed that problem solving addressing challenges with with small and mid size companies and so was happy to give bridge point a little less than a year ago and get back into that all kinds of experience around security privacy for sure also as companies mmhm okay how did you get involved with the risk management and if you also totaled about Max will lock in return yes absolutely   so I’ve always been in risk management   I was an accounting major but I didn’t love my tax returns or debits or credits or anything along those lines   so when I found out that risk assurance risk management was a field   I jumped right into that I started out it at PWC and their risk assurance group   I was there for a for a while and then had my own practice     for short stints   until I landed at Maxwell I can return yeah so   we are AT and accounting firm full service we do tax   financial audit due diligence   and I’m part of our I. T. risk and compliance practice their rituals vertical so and Jessica can you tell us a little about your role at CFO at active prospecting maybe a little bit the company yeah definitely so   and just gather chief financial officer of of active prospect I’ve been with the company for a little over two years I’ve been kind of in this in the software sass world for the last decade and before that I was very similar sitting in Kate shoes are not makers and auditor   with KPMG and so it’s it’s been fun being on both sides of the table but I I definitely enjoy being on the side more and after prospect is   a marketing sass company we offer a suite of products to assist large brands and customers in their online internet lead optimization and compliance I we are bishop company were fifteen years old but we we are growing rapidly because of that the data privacy privacy and compliance rules that have come about is actually extremely helped our our business and I we actually grew fifty percent year over year last year while to double our headcount this year well congratulations zero thank you all for sharing that   so for the topic at hand data security and privacy I’m actually really intrigued about this topic especially when it comes to growth and scale   mainly because I think there’s so many businesses are so much business owners do not know about this topic and how quickly it has evolved in just the last few years so junkie useful insight   about the current compliance landscape sure happy to   you know I think I’m seeing a couple of trends   and I think and small and medium sized businesses are seeing this as well and that is that you know number one there is legislation coming about at both the state and national level around the world related to data security and privacy and how we protect customer information   customer personal information health data cetera   and I think we’re seeing the first of a wave of what will be future state legislation in this regard and we’re seeing it with CCPA in California   GDPR in the European Union   among others and so that’s kind of the first trend that we’re kind of seeing but then more importantly I think what companies are saying on a day to day basis is that their customers are really paying attention to data security and privacy in a way that they may not have in the past   it’s becoming a requirement   in not just an optional add on   so especially for growing businesses that are trying to attract those larger more enterprise sized customers and they can certainly expect questions from their customers about how they address data privacy and security of their customer data that comes in several different forms   yeah I think we’re all familiar with the dreaded one hundred page security questionnaires and and long question answer format emails from our customers   but then there’s there’s other forms of requests such as sock to reports   you know some companies are asking their vendors for data privacy impact assessments related to GDPR   and that’s kind of just the the tip of the iceberg when it comes to customer requirements our system have add on there that and even the way that our customers are viewing data has changed you know it used to be the very obvious sensitive data points like social security number or credit card data were obviously need to be protected with the new laws and legislations that have been passed now it’s such a more broader scope so for us after prospect   customers that may just be collecting name email and phone number they are now being scrutinized with how how is that data being protected because now it’s classified as as as confidential or personally identifying information so even customers who have been dealing with these types of data is for data for decades are now have a new heightened sense of awareness about security surrounding it he has reached in one of the things that you’ve mentioned G. D. P. R. and C. CPA and I’m sure that most business owners have seen the the news headlines   can you explain what the differences are and what businesses need under about those two things sure so GDPR is a E. U. regulation that relates to personal information of E. U. citizens I’m in a place to any company worldwide   the company can reside in the U. S. or in the U. R. elsewhere and it applies to any company that stores or processes personal information about EU citizens I’m in that camp as Jessica mentioned that definition is really evolving   of what is personal information under GDPR it’s very broad   there’s them the typical definitions such as name email address social security number a birthday those types of pieces of data but then there’s more non typical a broader definitions such as tracking information or IP addresses   identification numbers that that companies may not even realize falls into scope right under GDPR   so that’s G. D. P. R. then on the state side on the US side there’s not a national regulation related to data privacy but the states are beginning to enact their own CCPA is the first of those and when it into effect January of this year   and it applies to personal information of California residents okay   again the definition is is pretty broad   but it aims to give California residents the   right to own their information and they have the right to understand how companies are using it   they’re sharing it with   and and also the right to request that it be deleted   and removed kind that right to be forgotten concept doing something that makes sense so you put a website out and sometimes you may not understand the data that’s being gathered and where those customers coming from and you have these liabilities as a business owner that you need to understand where these customers because it was a U. E. U. California soon to be other states right and then what they expect you to do with that information you can just collect it and keep it he you have to follow the rules right yeah yeah you have to follow the rules and safeguarding the right way so if I am a new businesses please educate me on and or or maybe Mike McCabe is growing and   I’m seeking help one of the first things that you want to dress when a company comes to you for help with this particular data and security and privacy sure I think the first thing that I would tell the company has to take a step back and take it step by step   it’s easy N. often common for companies to start at the end   and work their way backward start with   of regulation or compliance framework and try to work their way backwards to identify what fits into that when really   what we need to do is start at the beginning and identify what is it that we have you know let’s let’s identify the data that we store where it’s coming from what type of data it is and what system that resides in you know   do we just have a website were collecting I have no data do we have forms on our website that are collecting personal information or do we have a sass application that that process is a large amount of of personal information so there’s different ways to do that   you can yeah you can visualize the data clean data flow diagrams   create system inventory lists   but really that kind of initial data mapping is really important because you can’t protect data unless you know what you have now   minority exists makes little sense so you know once you complete that step you can really move into the the   future phases of compliance   identifying white compliance requirements applied to that data good is it GDPR as CCPA is it a sock to that’s required because the customers asking for it   and then obviously you know move into Europe gap analysis what do we need to do what we doing what are we not and what holes do you need to plug and then remediation how we plug those holes is it new technologies new tools training of our staff   you know nuclear procedures so it’s it’s really important that would add to start at the beginning identify what you have and then take it step by step makes complete sense K. I have a couple questions for you I am really curious you mentioned that you went from you know traditional CPA work to really being intrigued about risk assurance managing and I’m wondering what that that role entails I assume it has to do with data security and privacy so can give an idea of what that work is involved absolutely yeah it really does   involved due to security and privacy and for our customers   as an accounting firm   we really specialize in sock one and talk to examination so we can come in as independent assessors of companies an issue those reports   so that’s our primary focus area   but we get a lot of customers locally that are small to medium tech companies that are new to sock they don’t know what it means   they don’t know why they need it and so we do a lot to educate educate them educate the public as much as we can   what is what is soccer I mean it’s one of the things I looked at when I was reading your linkedin you’re like an expert at sock one two in nineteen hundred some like what right right such exciting times right yeah so it stands for system and organization controls   which isn’t very helpful acronym but they’re essentially these reports that   customers of sass companies   customers of   companies that provide services to businesses   that provide   especially enterprise grade businesses   they’ll ask for a soccer board to make sure   the company that they’re using is   protecting their data correctly is   doing what they’re supposed to be doing   so an organization that’s a some sort of service provider that says company that’s a health tech company or a fintech company   you know they’re they’re offering services are offering a platform   sees companies our customers and potentially have really sensitive information   so if they can hand their customer soccer port that gives that customer assurance that   dare data is protected and they can trust that it is seen that the clients themselves are asking this before they signed a contract with the company absolutely yeah yeah so we get a lot of that   people come in companies come in and they’ll say   you know we we almost have this deal closed   but we need to talk to or we can’t close the deal so we need one right now we want more of it so it’s a really tricky set kind of high pressure through that right like it does say it takes a little time to be with what’s that like yeah yeah that’s a great question so and Sir John mentioned I’m kind of you know gap assessment and readiness that is a really important component   to a stock report   I have yet to see an organization just crush it right out the gate and just already immediately know everything they need to do and have it in place   so that’s really the starting point is going through some process to understand   what needs to be corrected what needs to be implemented   and then after that   there’s these two there’s two types of reports is a type one or type two I took one we can get out the door reasonably quickly it’s as of a point in time so it’s really how quickly can they fix those problems that were identified during a reading this process   and then the reporting and can happen over the course of a month or so as soon as things are resolved   that’s what organizations don’t fully understand   how long that can take   to really fix the fix the gaps   and then beyond that for a type two it’s over a time frame it’s over six months over twelve months and so it can it can take awhile to get a type two out there so the lesson here is you guys are the people to come and verify that the data and as it secures and is being protected and so if if I got them from a company and growing and I want to have those enterprise type or type contracts that are out there I want to make sure that I’m covering the bases and be able to show that to anybody that wants it and so you guys come in and are able to do that but it does take time it’s going to take six months a year to go through all my data to people show that proves that yeah most of them yeah absolutely which is why it’s so hard when you know when you get people yeah like well I guess I just need one right now no no pressure to five hundred thousand dollar deal I need one right now not at work we’ll get on it but so at what level of growth     do companies really need to be focused on these is this like a start up like at the very beginning or is it like I’ve already got some some W. or so many people I really start doing that wars once I start targeting companies of certain size what’s that look like yeah it’s it’s primarily the last one   so unfortunately for some of our smaller clients   it doesn’t really matter how many people you have or what your revenue amount is   if you’re going after a really big   organization if you’re going after a big company a fortune five hundred fortune one hundred   and you know you’re providing some sort of service to that company they’re going to want to sock report   or if you are health tech or fintech in you right out the gate have really sensitive information   you’re gonna need a sucker for it yeah so it can be really small organizations that need one and we’ll try our best to you know make it as easy as possible for them but it it’s it’s a hard pill to swallow well that’s really important over the news specially in this town there’s there’s you know you have the such permintaan DM small start ups that go out and trying to fix something in health or something that’s route that requires data security and they may not be thinking about this and so it’s important for them to as they grow up as they get on out the gate   to have this thing checked off the box needs to be checked up on us yeah absolutely Sir catching people early is really important for us and training them Jessica I’m also very curious about the work that you do over active prospect can you elaborate the importance of security and privacy when it comes to lead generation and how that affects your clients yeah definitely and it’s I couldn’t agree with what Kate is saying more and our clients range from small mom and pop shops you may own a local flooring business and they’re generating leads online via like a home advisor yelp all the way up into fortune one hundred companies and so everyone is very concerned about what happens to their data as it enters our our platform and so and for for us no matter what size our customer is there typically bring in the same types of of data and so as the   security and privacy laws has strengthened our customers are asking us this hard questions in the evolution of actor prospect is we tried to kick the can as long as we head into the very much like you mentioned were in Austin where start ups that we you know tell someone   will we we were not sought to compliant we don’t have the resources to become sought to compliance to go ahead and send over your questionnaire will get it filled out as much as possible and kind of hope we get the deal done and that worked for the law most of the last fifteen years but over the last really I’d say twenty four months things really change restaurant and we started actually losing customers and just a handful that said look we typically it’s I we we’ve just been acquired right and now our big new parent company will not allow us to use any vendor right isn’t sought to compliance   and also add new prospects are not accepting the questionnaire is the only way for us to be able to do business with them and so we decided as a leadership team   about eighteen months ago that the time is now with this wasn’t going to get any easier with the passage of CCPA and sense of Washington’s on the hills if not already doing something similar that and in the world of online legion their generation internet leads don’t understand boundaries so for us it’s whatever happens in California for us is that I happen everywhere and so and we decided to make the investment into Kate’s point   I think it was a little bit it was nice to have someone like myself but the company who’s been through this and I knew what to expect it was funny some folks in the teams that will how long will it take us to get the thought your port like two weeks and I’m here well and so   so the center we are with us but it’s very specifically we deal with and our fundamental business model is based on consent based marketing so we’re already dealing with folks who are trusting in giving the companies permission to contact them whether it’s by email or phone in so for us being compliant is even of the utmost importance because we ourselves are kind of a compliance tool compliance company so therefore we have to have the most stringent compliance rules and procedures as set up to really be able to have that reputation the marketplace makes less sense I just this takes me back thirty years I was in sales thirty years ago and I remember going down the yellow pages that was like you know a hundred dollars a day or whatever that was and is so different than me think about this absolutely so you think about businesses today that you know have done things one way and not change for a long time   there’s the the landscape has changed completely changed and it’s become extraordinarily sophisticated as well I’m I’m relatively new to the specific space of online lead generation and when I really got to know the industry well it I was extremely surprised by some of the sophistication of small mom and pop shops you might have these home services businesses or even health care type legion businesses and how it’s all super integrated and how they’re able to drum up of a ton of online lead interest in their products or services that you might have a three person company who is processing hundreds of thousands of leads per month and their three four person company said they certainly aren’t solving the sock problem so they won at least make sure the vendors that they select R. while it’s incredible some sugar on the table what’s that one piece of advice you offer to other CFO’s as they’re getting started in data privacy sure I can start   you know I would say be proactive don’t be reactive   I think that’s easier said than done sometimes but   if you can start your compliance journey early enough and build it into your process sees   build India procedures   identify risk and address it with controls in your day to day activities then   you know when a customer comes knocking with a sock request or   GDPR question you’ll be prepared and your life will be a lot easier down the road Jerry vehicle anybody else yeah I’ll chime in   I would say don’t immediately assume that any compliance cost is a sunk cost I understand that   part of it’s the cost of doing business but part of it   it’s the opportunity to bring on bigger customers to   communicate to your customers   that   that you   will secure their data date you will operate   as they expect and that you   are trust a trustworthy vendor   so just don’t go in assuming   that everything is a sunk cost when it comes to compliance I understand the value of it first in Philly I can agree more that that those and I’ll add on as well and they ask for a piece of advice I’m gonna give you give you three so ask so first and foremost the deathly get started early AG specially as a start at B. tend to cut corners and that is okay sometimes you just have to do that but there are certain decisions that you can make like where you can store your servers and what what are the vendors are going to select to go ahead and start thinking about quality and assurance of security early and maybe skill has are selecting some of those vendors and putting your procedures in place early Adam to help with this down the line but as soon as you realize you’re ready to get serious about becoming sought to complain it’s time to bring in some help right that would be my first my first I recommendation after prospect we we brought in bridge point that we had no one on the team besides myself who had any experience with this and we really need someone to come in and help spear us into how to start from the beginning and get to where we want it to go and with that also selecting   on a partner in making sure that everyone’s on the same page about what does it mean to be sought to comply and what we have to do to be able to get through this as painlessly as possible the second the second thing I would say is don’t be afraid   especially when you start out with these questionnaires I mean John’s not exaggerating there’s hundreds of questions I mean what I think our largest one was four hundred eighty questions all over security and so it becomes very daunting said it is okay to say no no I do not have this thing in place I do not do two factor authentication and have a sixteen digit password   and and then cross the bridge with the with the prospect to just be honest about where you are and I think a lot of folks fear kind of prevents them from answering honestly or they try to hurry up and change things really fast to say yes and then things are done without a lot of a lot of thought and my final piece of advice is Adam especially for small companies that are very heavy on the developer and engineering side and just because someone is asking about the way something is set up an infrastructure in the process you have in place at doesn’t mean you haven’t built something beautiful right and especially for us after prospect we have a very large engineering team and when we started talking about all these things we had to fix their egos involved and you know we had to be very clear that it’s this is not reflect at all on the product that you build the product serves an amazing purpose and is meeting a lot of needs out in the market place but we still have to go do these things on the backend in order to play with the big boys and big big girls and so I would just educate the engineering team specifically your DevOps team to say look we’ve got some hard questions were about to answer and that is okay and we’ll get it figured out in this reflects not at all that this type of quality engineer that you are or what you’ve built wow that’s something the law he will think about that yeah you can this is the pride of what they’ve done right listen to stuff because as a financial person I’m used to writing a financial statement audit and someone’s like well why it is your you know cash balance say this since like mind your business you know this pride being above your work in   engineers are very much the same way and M. as they should be which is great if you have a lot of pride in what they’ve built and just because you don’t have this crazy password set up doesn’t mean you haven’t done a great job and said   and when folks like myself especially your folks to come in more in operation side don’t establish that relationship with their I. T. team our relationships can go sour fast and you really need to have collaboration this is cross functional doing the control you have to put in place are human resource I. T. development I mean across the board so it’s not just only I. T. taking care of this are only funny is taking care of this so you got to kind of set the ground level with everybody up front well this is been incredibly informative I know that   many fast growing businesses out there really appreciate the information we share today so thank you very much for all for being on the show really appreciate it thank you very much thank you thank you again Jon Kate and Jessica with more data than ever before being used and it being available to organizations privacy and security is an important topic and is all set it’s just a little bit today if you enjoyed this episode please make sure you subscribe and maybe share it with a friend or coworker Rosenstiel insiders is created in partnership between Bridgepoint consulting and founding media to learn more about Bridgepoint please visit the links and options