Donata Stroink-Skillrud is a licensed attorney and a Certified Information Privacy Professional. She is the President and legal engineer of Termageddon, LLC, a software as a service company that has generated thousands of Privacy Policies and kept them up to date with changing legislation. Donata is also the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago chapter of the International Association of Privacy Professionals.
INTRO: [00:00:00] Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications, directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.
Kristina Podnar, Host: [00:00:19] Thanks for joining me again today for The Power of Digital Policy. Today's an opportunity to geek out a bit and learn a lot about digital policy from Donata Stroink-Skillrud. Donata is a licensed attorney and certified information privacy professional, who by the way, is the founder of Termageddon. And she's solving the problem we all face around keeping our privacy policies up to date with changing legislation. Donata, it is such a pleasure to have you here today. Thanks for joining.
DONATA STROINK-SKILLRUD, Guest: [00:00:46] Thank you so much for having me. I'm very excited to talk to you about policies and privacy and what's going on.
KRISTINA: [00:00:53] So ready for this geek-out session. I have to say that for a while, I've been hoping that we could finally connect and talk. And I think one of the really key things to say before we even start our conversation is you certainly are a licensed attorney. But you are not giving us legal advice today. And that feels like a statement everybody makes at the beginning of any conversation, but I thought I would just put that out there before we kind of dive in. Does that sound right?
DONATA: [00:01:17] Yeah, that does sound fair. Thank you for adding that in. It's always important to me to be upfront with people about,
what it is that I offer, and today that's not legal advice.
KRISTINA: [00:06:11] Smart advice taken from a lawyer who's not giving legal advice. You just mentioned varying regulations and laws out there. I start looking at various acronyms from GDPR to CCPA, to LGDP, to POPIA it's enough to make our head spin, especially when it comes to keeping up our privacy policies up-to-date. Tell us a bit about how do you see the space evolving? And what's really the biggest challenges for organizations right now, given the fact that all these acronyms are popping up day in and day?
KRISTINA: [00:08:37] What should organizations or privacy professionals do when the different laws have a level of conflict, especially with some of the standing kind of outdated regulations that we have around the world? What to do then?
Each privacy law has different privacy rights that it provides to consumers. So for some organizations, it makes more sense of, instead of providing one set of rights to California consumers and another set of rights to EU consumers and, and another set of rights to Canadian consumers, some organizations that are fighting success combining all of those rights and providing them to everyone regardless of where they reside. So instead of having these crazy lists of privacy rights and very much confusion from a consumer standpoint of what applies to me and what rights I have. You provide all of the same rights to everyone so that you're compliant with all of the laws at the same time. But then you're also kind of going a step above and beyond those laws and showcasing to your customers that you care about their privacy, and you're willing to go a step beyond what's required. So that's one of the things that I've seen lately that I've really enjoyed seeing.
DONATA: [00:10:57] Potential flaws that I see in how people approach compliance in that sense is number one; they assume that if they meet GDPR, they will meet all other requirements, which is simply not true. So other privacy law requirements that go beyond GDPR. So if you're using GDPR as the standard, you should not assume that you're compliant with all privacy laws because chances are you're not. And then two, I see a lot of organizations trying to impose GDPR terminology on vendors or customers. So, for example, having the whole data processor and data controller thing for whatever reason, I find that a lot of people bristle when they see those words, oh, I'm a data controller. I'm a data processor. Now, I don't want to think of myself using different terminology. What I personally like to do is strip that terminology and keep the requirements, right? So instead of calling a vendor, a data processor, we just call them a vendor and impose all of the same requirements without necessarily mentioning GDPR. And it's a matter of doing business. So, for example, if you are doing businesses of the bank, let's say you hire a marketing firm for them. You're going to audit them. And you're going to make sure that they're compliant with specific requirements, but you don't necessarily need to disclose what laws those requirements apply to. You can just say, all right, these are the requirements of doing business with us, and it doesn't necessarily need to be GDPR centric. You can still have all of those requirements without making somebody feel like they're complying with an EU privacy law for no reason. So that's what I would do is I would strip that terminology and make it a bit more clear as to what the requirements are without the whole philosophical explanation behind it.
KRISTINA: [00:15:11] You are making my heart go pitter-patter because I'm such a believer in bringing folks together, including HR, because HR needs to play such a role in terms of building awareness and educating so that areas of the organization where we see data loss or slippage is decreased. Oftentimes, I'm amazed when I go and talk to organizations around their data practices; they say like, oh, we're doing this right. It's all good. And then I'm like, oh, how are things going with your Google Drive or One drive? And what's getting pushed out to vendor Dropboxes and it's like, oh, never mind, just don't look over it.
DONATA: [00:15:43] And one thing that I would like to see from organizations is, we see some organizations that do have privacy training, but usually it's a third-party purchase. Some video from the eighties. That's very cheesy, and that's like, don't share your password or don't write down your password and put it on your laptop or something like that. And I think we're beyond that now, I think. That information is very important, and people shouldn't be doing that. But I think we're a lot beyond that now when it comes to using sharing and collecting data, and I would really like to see better training offer to companies and to employees that's actually real-life training, not hypothetical scenarios that they're probably never going to run into, and they just click through the training, and then you're done, I think it has to be more interactive, and it has to be actual scenarios that they're going to run into. And actual hypotheticals and actual training sessions. When I used to work in compliance, we actually did a fake phishing attack on our staff because we were supposed to have training that morning on IT, and I sent everybody a fake email. It wasn't very clearly fishing, but there were some hints, saying, if you want to see the notes for this morning, so IT training, please click on this link. And it was interesting to see how many employees actually fell for that. Even though my email was wrong, my name was misspelled. Such things like that, actual active testing and active training where somebody learned something in the real world, instead of just hypotheticals, I think I would love to see more of that.
DONATA: [00:25:05] Absolutely. A disclaimer or terms of service to protect your business. And, even just to answer commonly asked customer questions, like, do you offer refunds, cancellations? What is your shipping policy? Things like that that I think go a very, very long way with consumers in terms of moving them forward in the purchasing path. Because if I go on a website and let's say, I'm hypothetically, I'm looking at shoes, and I'm worried that maybe the size isn't going to fit me right, the first thing that I do is look for a refund policy and terms of service to see what the refund policy is and what my options are as a consumer. And if that's not present, I'm probably not going to buy from them. Because I don't feel secure enough to know that, okay, if the shoe doesn't fit, I can return it and exchange it for a different one. Not having that information can actually impede customers from buying from you.
Having that information available is very valuable, both from a legal protection perspective, but also from a customer service perspective as well.
KRISTINA: [00:26:07] I find that a lot of agencies in webshops that are supporting especially small and medium-sized businesses are trying their best. It's not with any ill intent, but they oftentimes forget about those terms of service, that disclaimers, et cetera. Is there a way to automate the inclusion of that into the products that they're creating for their consumers? What is your advice?
KRISTINA: [00:27:53] That's great. It's interesting because a colleague of mine is moving to the EU next month. And we were chatting about the fact that even the smallest of the smallest companies that she's interacting with are sending her these transparent GDPR privacy notices. They're really kind of upfront about data collection, very much into the digital signature realm. And she lives in the US; she lives very close to me in the DC area. And she was saying, we're so many light-years away, yet GDPR has been in effect only since May of 2018; we've seen these EU shops, even the small companies evolve quickly. Do you see the same thing happening in the US or where do you think we are in terms of adoption of these concepts?
DONATA: [00:28:34] I dream of living in the EU. I'm originally from Lithuania. But I live in Chicago now, and I have pretty much no privacy rights unless it comes to my biometrics. But other than that, I have pretty much no privacy rights. And I will confess that I sometimes try to exercise my privacy rights under the EU section. And I'm upfront with that, the fact that I'm located in Chicago, but sometimes I slipped through the cracks there, and people allow me to exercise my privacy rights, even though I'm not from the EU, which is kind of cool. But you know, I think that in the US we have a fundamental problem. So in the EU, they have GDPR one set of rules. Yes, there are some very small differences between countries, but they're pretty minor. So there's one set of rules that everybody needs to comply with. There is a ton of government guidance on every possible question that you could possibly think of. That guidance obviously is imperfect. It's not a perfect world, but it's very cool, right? There's a lot there. If you're a small business, you can call your data protection authority, and they will help you. In the US we don't have that. So we don't really have a federal privacy law that governance business websites unless it's healthcare or finance, very niche industries. And what we're seeing is this increasingly complex patchwork of privacy laws that are based on each state's requirements and, and almost whims at some point. So we don't have this consistent standard. We have a lot of different privacy laws, and that number is growing and growing and growing, which is making compliance very complicated. So yes, we're seeing some companies that are going above and beyond or meeting the requirements, but we also see a lot of companies that are just very, very confused as to what those requirements are. And you really can't blame them because there are a lot of different sets of requirements. So I think we're sort of moving in the right direction in the sense that privacy is starting to become more important to consumers, and consumers are pressuring companies and legislators to care more about their privacy. But I think we're also stepping a little bit backward in the sense that there are a lot of different requirements, and it's a patchwork, and it's just becoming increasingly difficult to comply with everything that applies to you.
KRISTINA: [00:30:48] So for every person who's listening today and they want to pull their hair out, what would you say to them, as their first step of what they could do? Because a lot of times, people say to me, I just don't know. I don't know if I'm compliant; I'm not compliant. Like where's the north star? What should I do? What are the tips that you have for them? What should they do?
KRISTINA: [00:32:55] Donata, what I'm taking away from this conversation, and I'm sure a lot of folks will share the sentiment, is that this is an incredibly complex area, certainly evolving by the minute. But what I appreciate is your ability to break it down into some practical aspects and the ability for us to take some steps to move forward and get ourselves unstuck because I feel like that's where we need to be. We need just to be moving forward. And as long as we're moving forward, I'm sure we can collectively get there at some point, but we can't stay stuck.
DONATA: [00:33:25] Yeah, I think you have to start somewhere. And if you think about it, if I think about spring cleaning my house, if I just sit there and think about spring cleaning my entire house, like top to bottom, I will get extremely stressed out, and I will probably never do it. However, if I think about cleaning a window in my office, I can do that. That's no big deal. So I make a list of the things that I have to do, kind of break it down into small tasks that are manageable, and then just start there and go from there because you have to start somewhere and you have to do something because in reality, doing nothing is going to be much worse. So don't get it overly overwhelmed and bogged down and making huge plans. And then, never assigning those plans to anyone, break it down into small manageable chunks, and get to where you need to go and do what you can do because doing what you can do is much better than doing nothing.
OUTRO: [00:34:54] Thank you for joining The Power of Digital Policy. To sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.