0:02
Hi everybody, this is Arlo Gilbert, Co Founder and CEO of Osano, a leading data privacy management platform, and you are listening to the Privacy Insider Podcast.
0:13
This show explores the past, present and future of data privacy for privacy and business leaders alike, as well as anyone who wants to keep privacy top of mind.
0:27
Hi, my name is Arlo Gilbert.
0:29
I'm the CEO and Co founder at Osano and today I'm your host on the Privacy Insider Podcast.
0:35
We're going to be talking about compliance a lot in the privacy world.
0:39
It's a big driver and data protection in business is a big deal.
0:44
You got to follow the rules.
0:45
You're going to get fined.
0:46
But let's be honest, it's not exactly a barn burner or a subject for the average person.
0:52
You don't get invited back to dinner a lot when you talk about data privacy, or so we assume.
0:58
But if you look at what's happening right now, it's a wild, wild world of compliance.
1:02
Shifting attitudes about DEI, the new administration's push for less regulation, DeepSeek, the SEC, and crypto.
1:11
And that's just the most recent episode of Tom Fox's Everything Compliance podcast.
1:17
Compliance might just be one of the most interesting things to talk about right now.
1:23
That's definitely true when you're talking to Tom Fox.
1:25
Tom is well known in the compliance world.
1:28
He has been a general counsel and a chief compliance officer.
1:31
He's the author of the Seminole text The Compliance Handbook, which is now in its 5th edition.
1:37
He's a columnist for Corporate Compliance Insights and is the voice of compliance and a compliance evangelist.
1:42
He is a well known and frequent speaker compliance and ethic issues, social media use and corporate leadership.
1:50
And in December, he was named the GOAT of compliance.
1:53
And GOAT does not mean he has four legs and a beard, it means he's the greatest of all time.
2:00
He runs the Compliant Podcast Network where he fills several podcasts every month with content about things like compliance, including Two Gurus Talk, Compliance Everything, Compliance, data-driven Compliance, The Ongoing Adventures of Compliance Man, and much more.
2:19
If you want to know about compliance or podcasting, Tom is the guy to ask.
2:24
So we are thrilled to have him, as with our guest this week, to talk about the state of compliance and where privacy fits in.
2:31
Tom, welcome to the show.
2:32
I'm so glad to have you, Arlo, thrilled to be here with you today.
2:37
Yeah.
2:37
So maybe we can dive right in.
2:39
I mean, if you haven't heard of Tom's podcast network, maybe you just want to start off with a real quick overview of of your podcast network so that everybody here can make sure to go check it out.
2:52
Sure.
2:53
Arlo actually have two pod networks, but the one we're going to talk about is the B2B or business to business podcast network called the Compliance Podcast Network, focused on appropriately all things compliance.
3:06
It's founded in 2017.
3:08
It literally blew up during the pandemic and I've been able to transition to pretty much full time podcasting since that time.
3:15
That's pretty amazing.
3:16
It's like being a YouTube star.
3:18
Most people just get to do it as a side hustle.
3:20
So Congrats.
3:21
Well, I'd love to learn a little about, First off, how'd you get to Texas?
3:25
Tell us about that.
3:25
Where are you from?
3:27
How did you arrive here?
3:28
Were you born here or did you just get here as fast as you could?
3:31
I'm a native.
3:32
Wow.
3:34
You don't meet a lot of native Texans these days.
3:37
I, I too am, am a native Texan from here and grew up here.
3:41
And it is very rare for me to meet other people from Texas.
3:45
So I was born in Houston, but I spent my formative years in the megalopolis of Central Texas.
3:51
Bryan College Station.
3:52
I got so.
3:54
So you are an Aggie then, I take it?
3:57
I am not.
3:58
Thank you very much.
3:59
I went to the University of Texas.
4:00
All right, Hook and Horns.
4:02
Me too.
4:02
That's fantastic.
4:05
First male in my family not to go to A&M.
4:08
So you you were the proverbial black sheep in the family then?
4:11
Or the orange sheep in the family, I guess?
4:14
Absolutely.
4:16
Well, tell us a little bit about your background.
4:18
So you grew up in, in Bryan, TX and you know, you, you bucked the trend and went for the orange and how do you end up becoming a compliance podcaster?
4:27
How do you how do you even start?
4:29
What, what, what does that journey look like?
4:31
It was long secure this journey.
4:33
I'm a lawyer by professional background.
4:35
I've practiced law for 40 plus years.
4:37
The 1st 25 I was a trial lawyer.
4:41
I burned out of that in the first couple of years of this century, transitioned over to the corporate world and went to work for a oilfield service company called Halliburton.
4:52
I always practice law in Houston, so that meant a lot of energy work because of the nature of the business in Houston.
4:59
So I went to Halliburton and I did contract work, traveled all over the world, lived in Dubai, just basically troubleshooting contracts.
5:08
And then from there, I transitioned that over to a general counsel position at another oilfield service company.
5:14
In 2007, had the largest fine in history of the world on a particular U.S.
5:21
law that prevents U.S.
5:23
companies from engaging in bribery and corruption outside the United States.
5:27
That law is called the Foreign Corrupt Practices Act.
5:30
The company had already pled guilty to or pled to violating that law, and I was brought in as a part of the new management team.
5:39
They swept out the old guys and they were all guys, and it brought in a new team to implement a compliance solution inside of the corporation.
5:49
We had a corporate monitor and very robust DOJ oversight, and that was my first real experience with compliance, and I learned there about the nuts and bolts of compliance.
6:00
The company eventually got sold and my job went away, and I decided what I really wanted to do with my life was race bicycles.
6:08
So I went off on this great adventure of cycling 20 and 40 KS.
6:12
Had more fun than I'd had in a long time until one training ride I was taken out by a Hummer and that ended my cycling career.
6:23
So not a proverbial Hummer.
6:26
Like, wow, that was a real Hummer.
6:27
Like, you got hit by a real Hummer.
6:30
Hummer 1, Tom Zero.
6:33
Yeah.
6:33
So anyway, after I convalesced for a few months, I got on when I had enough energy to get on my Walker toddle into my office at home, I realized I was going to have to go back to work.
6:45
And I thought about it, and I realized what I really enjoyed in my last corporate position was doing the nuts and bolts of compliance, meaning building out a compliance program inside of a corporation.
6:58
So it's 2010.
7:01
There were very few lawyers doing that back then.
7:05
If they were in compliance, they largely did investigations or negotiated with the government.
7:10
If you do investigations, you have to have a team because it's always a large number of people need to go do interviews literally across the world.
7:19
I wasn't ever a prosecutor, so I didn't feel like I was really the guy to sit across from a prosecutor and negotiate a settlement.
7:27
But I could build out compliance programs.
7:30
So I started a law practice based on compliance and I decided to be the nuts and bolts guy.
7:38
I really I wasn't banged up too bad considering, but I just was banged up internally with bruised bruised organs and stuff like that and just took forever to heal.
7:51
So the only time I could leave the house was to go to physical therapy.
7:55
So I couldn't meet people, I couldn't go have a drink, couldn't go have lunch, couldn't go to a conference, couldn't go to a meeting.
8:01
Sounds like COVID.
8:03
Yeah, It was 2010.
8:05
And so at that point in my life, I knew nothing about social media.
8:11
And so I just started exploring social media and the only thing I had on my hands was time.
8:18
I had no money because I had no income.
8:19
So whatever I did had to be at no cost to me.
8:23
And you probably couldn't do it now, but actually it was Twitter that put me on the map because it was a real B to B platform back then, and I'd always written a lot of articles as a lawyer.
8:34
So I started blogging and blog every day and A blog every day since that time.
8:43
And the blogging led to podcasting.
8:45
I started podcasting in 2012.
8:47
It was just a natural extension of my marketing efforts.
8:50
Probably the only thing I wish I had done differently was in 2010, trademark the phrase working from home because I could have retired because that's what I did.
9:02
I started working for moment into Yeah in 2010.
9:07
And I literally built a worldwide, built a worldwide consulting practice out of my house within six months through social media in 2010.
9:17
And I remember one time I was talking to someone from London and they said, tell me about all your clients in Houston.
9:23
And I thought about it a minute and I said, I don't have any clients from Houston.
9:26
They're all across the globe.
9:29
And so that's really how it started.
9:31
The I've started, as I mentioned, the started the compliance podcast network in 2017.
9:38
I decided in 2019 that I either had to fully commit to it or move it to hobby status.
9:45
So quit practicing law, bought all the cool toys what you see here, built this huge network and at the end of the year I made about $10,000 and I thought, well, that was interesting.
9:59
It's have to go back to practicing law.
10:00
So I practice.
10:01
So Q1 of 2020, I started my my law practice, which was focused on compliance.
10:08
And then COVID hit and they shut the country down.
10:13
Well, that ended all legal work.
10:15
And so I'm sitting around like everybody else, you know, and they March, April and May twiddling my thumbs trying to figure out what to do.
10:23
And starting on May 15th, I got a call from literally every product provider in compliance with the same question, how long to get access to your network?
10:36
Because even by 2019, I had the largest social media presence in compliance, and I still have the only podcast network in compliance.
10:45
But because of all of the work I've done in 2019 and all the money I'd sunk into the infrastructure of the network, my answer was 24 hours because it was literally a drop in drag or a plug and play.
10:58
And so my little compliance world exploded.
11:01
And I've basically since that time tried to manage the growth, the explosion of growth I had in 2020 and keep that going, which I've been able to do.
11:10
That's amazing.
11:12
You know, the one thing we didn't, we didn't cover was why did you decide you wanted to be a lawyer?
11:19
What, what, what kind of led you in that direction?
11:21
Was it the dreams of, you know, being in Clarence Darrow and standing up in front of the Supreme Court and battling trials?
11:28
Was it the, the structure of the law?
11:30
What, what brought you into law in general?
11:34
When I was very young, pre elementary school, I live with my grandparents and my grandfather was an immigrant from Italy.
11:42
And one time he said to me, Tommy, would she call me Tommy?
11:46
Every family needs a doctor and a lawyer and you're not smart enough to be a doctor, so you're going to be the lawyer.
11:54
Well, that's tough love if I've ever heard it.
11:57
Well, it sounds like it worked out well.
12:00
And so you know, you undoubtedly, you definitely have got the largest, the largest following that we have ever seen on the compliance world.
12:07
So kudos to you on that.
12:09
And getting into podcast sounds like it's been a real journey.
12:11
I mean 2012 to be podcasting, I think it was it was like you and then the the MTVVJ Adam, not Adam, Adam Curry, Adam Curry, yes, Adam Curry was a big early podcaster and and I remember I remember seeing and thinking this is interesting.
12:28
I don't know what you do with it, but guys like you saw the future.
12:32
So kudos.
12:33
That's amazing.
12:35
It was just a great way to market.
12:38
Yeah.
12:39
So.
12:39
So tell me, tell me about Kerrville, because I'm, I, I haven't been out to Kerrville in maybe 10-15 years, but, you know, I know you're out in that general vicinity.
12:50
I went to a summer camp out there in Medina and I got to know Kerrville very well and spent time on the river there, floating, floating with tubes and Coca Colas.
13:00
And it's so beautiful out there.
13:02
Is there a is there a Tell us about the town.
13:05
I mean, it deserves to be talked about.
13:09
Well, the reason I'm here is basically the same reason you just gave.
13:14
When I was very little, I went to summer camp in hot Texas.
13:18
And at that point my life, we lived in Houston and I'd never seen a hill.
13:23
So I thought the Hill Country was most beautiful place I'd ever seen.
13:27
I always said I would move here if I could.
13:30
My wife's job went totally remote in during the pandemic and I said let's move to the Hill Country.
13:36
And three days later she had us 5 houses to look at.
13:40
We drove out, found a house on the Saturday and in great negotiating style, I turned to the agent.
13:46
I said I don't care what it costs, I'm going to take it.
13:49
And we moved and that's how we got here.
13:54
Kerrville itself is a county seat of Kerr County, Texas.
13:58
It is most famous for the Kerrville Folk Festival if you're into folk music or singer-songwriter music, which is now 53 years old.
14:06
I'm getting ready to go on the board of directors of the Kerrville Folk Festival, so I'm very proud about that.
14:10
It is as a Museum of Western art #2 Museum of 4 W contemporary Western art in America.
14:20
So that's pretty cool.
14:21
They have a huge local music scene.
14:26
Every restaurant has musicians playing and it's all singer songwriters are almost all.
14:31
So that's very cool.
14:32
It has an incredibly vibrant local art scene.
14:35
I've gotten to know a lot of the artists through one of my other podcasts and get to be a part of their community.
14:42
Multiple writers, just this gym that nobody knows about or very few people know about.
14:49
In the Hill Country West, TX, we're hour and a half West of San Antonio, two hours South of Austin, an hour from the airport in San Antonio.
14:57
So it for my mind, it's the perfect place.
14:59
Yeah, Kerrville is beautiful.
15:01
I, I had the pleasure of going to that Folk Festival back in the 80s and like I saw, I saw Butch Hancock sitting there and he kind of went off and became a recluse and disappeared out into the Hill Country somewhere from what I hear.
15:17
But we'll look, we could probably talk about music all day long and podcasts all day long.
15:22
But I know that our audience is really interested to hear a little bit more about compliance.
15:26
And you know, we have an audience here on the podcast that's really much more focused on data privacy as a kind of subset of general compliance.
15:37
And it would be really great.
15:38
I mean, you mentioned the the Foreign Corrupt Practices Act, for example.
15:42
Let's just jump right into it because that's been in the news this week, I think, right?
15:46
Didn't they fact today, I think or, or real recently there was something, I haven't seen anything today, but about 3 weeks ago, Donald Trump and his infinite wisdom announced that he was suspending enforcement of that law.
15:59
And for at least a year, probably during the term of his presidency, so many people in the compliance community have sort of scrambled to have a response.
16:11
And then from that, how are we going, we as a compliance community going to justify our profession going forward?
16:19
So I spent a large part of my time over the past three weeks not explaining things like the FCPA, still the law.
16:28
You can't overturn a law by presidential Fiat, but this is a great opportunity for compliance professionals.
16:36
And it's an opportunity because compliance can no longer say the reason we are here is to wag our finger at you and say don't do that, that's bad, you'll get in trouble.
16:47
We now have the opportunity to demonstrate to senior management, to the board of directors, to any stakeholder who wants to listen.
16:57
The value of compliance is a business process.
17:00
So one of the reasons I was so excited to visit with you on this podcast is the same old souls.
17:05
True for data privacy and data protection compliance professionals, compliance basically has the same general framework for every type of situation.
17:19
Now we differ in laws that we focus on.
17:21
I'm FCPA guy, you guys are more data privacy.
17:24
You may be even looking across the pond to the GDPR, which is the gold standard for the world and rightly so.
17:32
But our framework for assessing our risk under it, managing that risks and improving our compliance program is the same for whatever law we're following.
17:42
So I have written extensively, literally over the past two weeks about how we all have to up our game in compliance.
17:52
And I think we're going to up our game because of AI.
17:58
So I'm in the middle of a blog post series on utilizing AI to improve your compliance program now.
18:05
And I'm also using that as a springboard for a book which will be out in April on the same topic.
18:12
Well, that'll be fantastic.
18:13
Why?
18:14
I can't wait to read that.
18:16
I'd love to hear your thoughts on AII mean with the it's been in the headlines constantly lately.
18:22
You know where when you think about the overlap of AI compliance, I guess there's two pieces to it.
18:27
There's one piece, which is the, you know, how do we govern, regulate, become compliant while our people use AI or our products have AI.
18:38
But then there's also the side of it that you're talking about, which is how can, how can, how can compliance professionals actually leverage AI to improve their workflows and reduce time and all the good stuff that you want to get from software?
18:53
I'd love to, I'd love to hear your thoughts on those two.
18:56
Sure.
18:57
So let me take the first one because in my mind it's a little bit easier.
19:00
That's the government's part.
19:01
The Department of Justice in September of last year issued guidelines for compliance professionals around AI.
19:09
They were very general, but they basically said compliance has to be a part of the government's governance.
19:15
We don't have to lead it, You don't have to be the AI person in your corporation, but you have to be a part of that group and it should be a cross functional group that manages it.
19:26
You need to make sure the data going in is not biased and that the data coming out of course is therefore not biased.
19:34
You have to test it, etcetera.
19:37
That's the governance part.
19:38
But the part I'm focusing on is how can a compliance professional use AI in their everyday compliance program?
19:47
And so the frameworks around compliance are well known.
19:53
They're not trade secreted.
19:55
Nobody's got an in secret insight to compliance that somebody else doesn't have.
20:00
And it's basically telling at the top.
20:03
Written procedures, policies, procedures, code of conduct, someone with authority to run it all, training and communication of what your program is.
20:13
Assess your risk and manage your risk.
20:16
If you are engaged or or make sure your third parties are compliant with whatever requirements you put on them, whether it's data privacy or anti corruption and a bribery compliance.
20:29
If you engage in some merger and acquisition, look at that from your target.
20:36
Have a way for people to report eternally IE whistleblower program and then have investigations when something comes in.
20:46
So that same framework works for every compliance program now and a corruption compliance focuses a little bit more on third parties because that's the highest risk.
20:59
But in in your world, you have to get companies to understand their data privacy.
21:06
Risk is going to come in most likely through a third party.
21:09
I understand you have to train employees, etcetera, but that's also a risk.
21:13
And then in the risk management framework, it's something along the lines of the following.
21:18
Identify your risks, assess that risk, put together a risk management strategy based upon your assessment, train your employees on your risk management strategy, whatever it is, implement the strategy, monitor the results of that implementation and then improve as appropriate or continuous improvement.
21:40
So I, I looked at those two general frameworks.
21:43
It said, where can AI come in and where can I put AI in any one of those places?
21:48
So that's what the book is going to be based on.
21:51
But it is things like a risk assessment.
21:53
It is things like what's a risk management strategy?
21:56
It's a thing thing like putting all your third parties into a program to see do they have a compliance program that you can rely on?
22:06
It is training.
22:08
It is policies and procedures.
22:11
It is how can I do investigations more quickly and efficiently and how can I use AI to look at vast amounts of data, not to tell me if something's right or wrong, but to find anomalies that might warrant further investigation.
22:28
And so I wrote each chapters it generally based on that.
22:32
And what I try to do is lay out the things that compliance officer would need to think about.
22:37
And then in each chapter, I have a couple of case studies of AI based programs in place today.
22:46
And that was a real surprise to me because once I started looking, it turns out people have been doing this for at least 10 years now.
22:57
They didn't call it AI, but that's what it was when the best example I would point you to.
23:01
And so that case study becomes a part of that chapter and it's entitled to futures.
23:06
Now here's the AI.
23:09
Now the solution they came up with in 2015 or 2018 or 2020 was a bespoke solution that they had to pay a lot of money to create.
23:21
But the change now is there are companies head head that actually have those solutions built in, AI built into their solutions and they are offering it at a cost effective basis.
23:35
And that a company that may be $50 million and could not have afforded a full Citibank, AML, anti corruption or anti money laundering program based on AI, they might be able to come to you and say, you know, we can, we can afford your program.
23:52
And that's Part 1.
23:55
Part 2 is the business response is not the business response is going to look at your third parties, your vendors, companies from your procurement side or third parties on the sales side to see if they have those capabilities.
24:08
So, but the best the either the best example I can give you, the one that struck me the most was in training Walmart of all people in 2018 put an AI based training program in for sales associates around compliance and ethics.
24:26
And then they added AVR component.
24:28
So I have these pictures of Walmart stores in China in 2018 training people to go out on the floor on ethics.
24:38
And so it turns turns out these have been around forever.
24:41
And I'm sure it cost Walmart on arm and a leg, but they're now training companies that have incorporated that into their service offerings.
24:48
And so I think we have a real opportunity in compliance to start talking about it and thinking about how we can increase at scale our capabilities.
25:01
What I mean, the humans going to be there because the human has to make the assessment, but the ability to look at fast amounts of data is going to be so much greater.
25:09
And we haven't even got the GDPR yet or the EUAI Act or any of those things which are once again, GDPR has led the world of data privacy.
25:20
EUAI Act will lead the world in AI because America's abdicated its responsibility to put together a, a regulatory framework in place.
25:29
So I think it's a a great time.
25:32
I think it's a great opportunity for compliance professionals to really up their game and move to demonstrating compliance is a business process.
25:42
And if we flip over to data privacy, every company has to assess the data privacy protections of their vendors.
25:52
Because if if you're connected just to get an e-mail, that's a connection that one of the bad guys can exploit.
26:01
Now, if you're connected in the supply chain in terms of payments or deliveries or any other way, the risk just grows exponentially.
26:09
So because of the interconnectedness, every customer or user of a vendor needs to be looking at their vendors all the way down the chain.
26:23
And that's true in data privacy compliance, it's true data production compliance, it's true in data corruption compliance.
26:29
It's true in any money laundering compliance or any other type of compliance you want to name.
26:32
Yeah.
26:32
I mean, look, you know, even even the food industry has, you know, good clear labeling and and, you know, practices that make it transparent about the supply chain, right?
26:46
You're the the tuna fish in the can that you bought at the grocery store was line caught certified.
26:53
And you know, all these things have happened to make sure that it's it's safe and compliant, right?
26:59
And, and, and we see, we see even the food industry being able to do things like that and, you know, maintain their supply chain.
27:06
So this is not only a B to B problem really, I mean that supply chain impacts everything we do, right.
27:13
We, we'd like to know whether AWS is involved in this in, in listening and on the conversation or is Google, is Google, you know, going to be showing me different ads tomorrow because of what we talked about.
27:25
So when we think about AI, you know, the, the new administration has come in and it appears to be that they are leaning in very hard on technology.
27:40
We've seen, you know, statements about crypto.
27:44
You know, we saw that they were, of course, they were the, the, the, the party that was pushing for the, the Chevron ruling.
27:54
And so I'm really interested to get your take.
27:56
We've got this new administration in place.
27:58
You, you've been part of FCPA and compliance for a long time.
28:04
So we have the challenge of less regulation on some areas.
28:08
But what's that going to look like in the next couple of years in your mind?
28:12
And, and how do the, how do these current headlines that kind of shift every day?
28:17
How do you plan for the future as a compliance professional when it's unclear what the laws will be and what would, what laws we have to follow?
28:29
That's why that's exactly the opportunity compliance has.
28:32
And more importantly, that's actually the solution that a compliance program or compliance framework with compliance professionals bring, because the framework I described of identify risk, assessed risk, risk management strategy, try and implement, monitor and improve.
28:51
That's a strategy for any risk, for any law or lack of a law.
28:55
This administration seems to want the market to more regulate itself.
29:02
I don't mean in terms of enforcement, but sort of hashing out what the laws or rules may or may not be.
29:09
Some may think that is a positive.
29:13
Excuse me, but what that will lead to is 50 different rules, laws and regulations because of 50 different states, which is one of the most difficult things because now you have all of them.
29:26
But I was at a conference and someone from Google basically said the US is the least of my problems.
29:35
It's Europe because they have the most robust law.
29:38
So if you take the position that whatever I have to do in Europe is what I'm going to implement as my compliance program, you've already met the gold standard, but doesn't matter what the US does.
29:49
But the second part of this Arlo is, and this is what I saw in anti corruption compliance, specifically in the energy industry.
29:58
So starting about O six, they the federal government didn't what we call an industry sweep where they swept through the energy industry and every major company either had an investigation or an enforcement action.
30:14
Houston has the most energy company headquarters of any city in the world.
30:21
So Houston actually is the FCPA enforcement capital of the world, but it but it's because of energy.
30:28
But the response, because so much was concentrated in Houston was the following.
30:34
In the energy world, at the top of the heap are Shell, Exxon and Chevron, and they're the operating companies.
30:42
All they do is own the energy.
30:43
They don't do the work to pull it out.
30:45
The companies that do the work are called service companies.
30:48
That's Baker Hughes, Halliburton, Schlumberger and Weatherford.
30:53
So they're four service companies.
30:55
Everybody works for one of those service companies in the energy industry literally all the way down, and I mean all the way down the supply chain to I represented a $15 million soft software company wants and it was ex Halliburton employees and they figured out a way for some piece of software to do something down hall.
31:18
And so they started a company and I kept, they were too small to have their own sales force.
31:24
And I kept telling them, look, guys, you're going to have to have a compliance program if you want any investments, if you want any when to partner with you or if you want a contract.
31:35
And they, I finally talked them into let me put a compliance program in place.
31:39
Two weeks later, one of those service companies came to him and said, we like what your tool does.
31:44
We want to make a big investment.
31:46
And the second thing they asked for was the compliance program.
31:50
It's a long winded way of saying the business response to the US government's enforcement of the FCPA was to require everyone literally down that supply chain to have a compliance program in place that would be audited and would be reviewed.
32:08
And that's what's happened in your world because now and, and I do still do contracts and energy.
32:16
So I know what's required and I know that data privacy is required and data protection is required of anyone.
32:26
My little $30 million safety company does when they go on a plant and do their safety thing.
32:33
And I know they have to open themselves to be audited in those areas.
32:38
And I know that it's something that they have to attest to annually that they've met the minimum standard, whether it's an ISO standard or whether it's a contract standard, whatever it may be.
32:48
So now we have compliance is really a business response because it's a business process.
32:56
And that's why I think compliance is so well suited in 2025 to make a huge leap forward in its significance to a company because it's an embedded business operation now and it's an embedded business operation that other companies want to audit.
33:15
The private equity wants to look at if they're looking at an acquisition or an investment that even a bank, if they're going to loan you money, they want to look at your compliance program.
33:24
Even if you're going to get insurance, they're going to want to look at your compliance program.
33:28
Yeah, we're seeing more and more of that as well.
33:32
You know, customers are coming in because an insurer said like you've got to, you got to have some basics in place here.
33:40
And that is such a shift from just five years ago.
33:44
So it, it sounds like so the, the, the deregulation at the federal level is probably a negative in some regards.
33:54
It offloads a lot of that responsibility to the states.
33:57
And, you know, we just talked about 1 industry and one state and, you know, that was, you know, that was a lot.
34:05
So I guess, I guess the, I guess the administration is going to get their way in terms of, you know, states rights and, and, and states being responsible for these things.
34:13
But they may not, may not like what they get because some of these states are getting pretty serious.
34:20
Don't ask for something you might get it.
34:22
That's right.
34:23
That's and you, you know, you can bet California will lead the way, just as I did with data privacy.
34:28
And now businesses are screaming all I've got 38 different standards I have to apply to.
34:33
Well, yeah, you're right.
34:34
And the reason is because, you know, Congress in its infinite wisdom did nothing.
34:40
And why don't you just go over and get GDPR and you'll have a standard that'll meet everything.
34:44
That's always my response.
34:46
Yeah, but or pick California standard or New York has a robust standard and use any of those standards.
34:53
That way you'll meet the lesser standards.
34:56
But you're absolutely correct, 50 different sets of rules and regulations and you know, whether you have it drawn up on your whiteboard in your office, you know, what are the rules in Texas?
35:07
When do I have to disclose?
35:09
And every other state.
35:10
So, yeah, it's a it's a challenge, but that's the lay of the land and I don't see that changing.
35:18
Yeah, yeah, it's going to be an interesting next couple of years for sure.
35:23
So when you think about that intersection of privacy and the broader compliance world, you know where, where do you see data privacy fitting?
35:32
You know, we've, we've seen trends of more compliance related activities falling under the Sisos organization.
35:40
We've seen, you know, kind of changes in titling across compliance.
35:44
I'm I'm really interested to understand, you know, what you're seeing out there right now.
35:48
You talk to a lot of people in the category.
35:51
So data privacy will always require a technical expertise that I as a lawyer don't have.
36:00
And so that that's never going away.
36:04
Whether you bring that under what my next sort of evangelic mission after I get off this AII ORS will be people.
36:14
This is risk.
36:15
There's an accruption risk, there's data privacy risk, there's data protection risk, there's money laundering risk.
36:21
Whatever the risk is, there's business risk, there's weather risk, there's risk we probably haven't thought of yet out there.
36:31
There's tariff risks, you know, wherever it may be.
36:35
And what we have to do is manage risk.
36:38
And that's why I think compliance is uniquely suited because we all are in the business of risk management.
36:45
Whether your title happens to be CSO or CCO, you're managing a defined set of risk.
36:52
But those principles you use to manage that risk, those can be used for any corporate risk and putting a broadening the the discussion from no data privacy compliance or data protection compliance to anti corruption compliance, to AML compliance.
37:10
Let's maybe talk about risk and risk management.
37:13
Because if we have a group in the company that puts the risk in that risk management framework I talked about, is a lawyer who heads risk management going to come to the CSO and say, help me develop a strategy, help me train on that strategy, help me to implement on that strategy and help me to monitor that strategy?
37:33
You bet 100% of the time and so seasons aren't going away nor is the technical requirements for data privacy going away.
37:42
But if we could move that discussion to risk where companies don't look at you guys are certainly my people as the department of no populated by doctor no wagging their fingers saying no.
37:56
And as a business operation or business process that allows you to manage the risk so you have greater business opportunity.
38:04
Not only will be a huge shift in perception, but it will be a huge shift, I think to make businesses run more efficiently and profitably.
38:12
All right.
38:13
Well, something goodwill come out of it.
38:14
So compliance doesn't have to be the the finger wagger.
38:17
It can be a a top line revenue improver.
38:21
It can be a goodwill generator.
38:22
There's so much good that comes out of it.
38:25
And you know, I think one of my very favorite things, I don't know if this is how you feel about about our category is the compliance.
38:32
Even though it's kind of a dry subject, ultimately we're trying to get people to do the right thing.
38:37
We're just, we're trying to do something positive and, and good, you know, with these compliance rules are there for a reason.
38:43
They make sure that the food is safe, that make sure that you know what's in your coffee.
38:48
They make sure that you can drive down the street and trust that the stoplight will stop, you know, will will turn red when the stop sign is supposed to come on.
38:57
All these things that we, we really take for granted.
38:59
Compliance is underneath all of them and it makes me excited every day to get up at least.
39:06
So I'd love to just absolutely love to just shift gears and, you know, hear a little bit about, you know, some of the things that, you know, we, we don't talk about.
39:15
So, you know, I, for example, you know, I, I, I am pretty much always willing to give away my personal information for a good video.
39:25
And you know, I'm, I know I shouldn't.
39:27
And yeah, I do it anyways.
39:29
And we have a video series internally called I'm a Privacy Probe.
39:33
But, and I'm really curious, you know, you're you're a compliance professional.
39:36
Do you have any guilty pleasures that that you'd like to confess on air?
39:43
So here's what I do every day.
39:45
I sit and talk to the smartest people in compliance and I just listen basically.
39:53
And I'm or my questions are, tell me your story.
39:57
Then I listen and they tell me about their company.
40:01
They tell me about the passion they have around what they're doing.
40:04
And they tell me how to apply it to any situation.
40:08
And so it's not that I had the Superman vision to see around corners, but I'm talking to people who see around corners and I'm talking to everybody.
40:17
So it gives me the ability to put all of these dots together in a line that others don't have because they're not talking to everybody.
40:26
And so that's.
40:28
One of the reasons I just love podcasting so much is it I've literally talked to the smartest people in the world and I was I'm a voracious reader, but now I'm a voracious consumer of information in the podcast format.
40:43
So you always have a podcast going in the background, huh?
40:49
I do.
40:50
I listen to six to eight pods a day.
40:52
Awesome.
40:53
Well, you know, Tom, really appreciate you joining us today on the show.
40:58
It's been a pleasure.
40:59
I have enjoyed learning about your podcast network, about your thoughts and compliance and AI.
41:04
And we are certainly an interesting time.
41:06
So it seems like we agree that there's a lot of work to do in 2025 for compliance professionals and there's a real opportunity in front of them to to go in and show the business that they're not the finger wagger.
41:18
So thank you for joining us today.
41:21
Well, it's really been my pleasure.
41:22
It's been a ton of fun to visit with you to prep for this and do this actual recording.
41:26
And I hope we can continue this conversation.
41:28
I sure look forward to it.
41:30
That would be awesome.
41:30
And next time I'm in Kerrville or you're in Austin, we're getting some tacos.
41:35
It's a deal.
41:38
Thank you for listening to this episode of the Privacy Insider Podcast.
41:42
You can find a full transcript of this episode and any show notes at osano.com.
41:48
That's www.osano.com.
41:52
And while you're there, get access to an excerpt of my book, The Privacy Insider.
41:57
How to Embrace Data Privacy and join the next Wave of trusted brands, which is now available on Amazon for purchase until next month.
42:06
Take care and remember, data privacy is a fundamental human right y'all.
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
/White%20Castle%20logo%20grey%20400.svg)
/Sprinklr%20logo%20grey%20400.svg)
/Sierra%20Nevada%20logo%20gray%20400.svg)
/Sesame%20workshop%20logo%20grey%20400.svg)
/Rodd%20and%20Gunn%20logo%20grey%20400.svg)
/Ping%20logo%20gray%20400.svg)
/Newegg%20logo%20gray%20400.svg)
/New%20Relic%20logo%20gray%20400.svg)
/Loves%20logo%20grey%20400.svg)
/linux%20foundation%20logo%20gray%20400.svg)
/JD%20Supra%20logo%20gray%20400.svg)
/BuzzRX%20logo%20grey%20400.svg)
/Broadridge%20logo%20gray%20400.svg)
/Boston%20Medical%20logo%20grey%20400.svg)
/AMC%20Theatres%20logo%20gray%20400.svg)