Ep.34 | How to create a data inventory (Guest: Brian Focht)

Show Transcript

[00:00:00] Hello, and welcome to episode 34 of Privacy Lawls, where I, Donata Stroink-Skillrud, speak with amazing privacy professionals, and we have some laughs along the way as well. Today, I’ll be speaking with Brian Focht about how to create a data inventory. Brian serves as senior counsel at Shoemaker, Loope and Kendrick LLP.

With extensive experience in data privacy, cybersecurity, and AI governance, Brian helps businesses and individuals manage complex legal challenges from privacy compliance and AI adoption to data breach response. A certified information privacy professional and certified artificial intelligence governance professional, Brian addresses the unique challenges posed by emerging technologies and evolving privacy laws and regulations.

Brian, thank you so much for joining me today. Thank you for having me. Absolutely. So to start us off, um, what made you interested in working in privacy and cybersecurity?[00:01:00]

It started a lot with my… It was sort of a combination. Uh, I left law school and my goal was to be a litigator. Uh, I wanted to be in court. Started doing that and really enjoyed that, but I also have had a affinity for technology and efficiency and sort of adopting new and better ways of doing things, and that’s sort of translated into my, what was a technology consulting for law firms, uh, side business basically.

I started a blog called “The Cyber Advocate” back in 2013, um, where I wrote about that. I wrote about basically how law firms can improve their practices, improve their client service by adopting various technology tools, software programs, platforms, things like that. And one of the [00:02:00] fund… I s- I suppose when you’re talking to law firms about adopting technology, their first question is, “How much does it cost?”

Mm-hmm. Uh, the second question is, “How do I keep my client data confidential?” Mm-hmm. That’s anything that might threaten an attorney’s license is going to be among the first questions you get. So one of the big topics I had to deal with a lot with was security. And just having a long history of being very interested in technology and, um, being quite a bit of a computer nerd myself, I just did a lot of stuff with cybersecurity.

I decided that as much as I really enjoyed litigation, my real interests were in the cybersecurity and related fields and went out, s- started my own firm in 2017 focusing on cybersecurity. As time went on, GDPR passed in Europe, CCPA passed in California. All of a sudden where privacy [00:03:00] had been kind of an afterthought for anyone outside of the healthcare industry- Mm-hmm

it became very much front and center, and the crossover between security and privacy was, I mean, as, as far as Venn diagrams go, it, it wasn’t exactly a com- just a complete overlapping circle, but it was pretty close. And so I started doing a lot of privacy related stuff and when ChatGPT’s, uh, major public, uh, version, version 3.0 was released in October of 2022 and the whole AI revolution kind of kicked in, I had been involved in dealing with AI technology before that and it was just kind of a natural, uh, thing to add to the Data privacy and the cybersecurity is like data privacy is what data do you have, cybersecurity is how do you protect it, and AI is what beneficially can you create with it.

Mm-hmm. So it all ends up being data related, and that’s basically how I [00:04:00] got to the position I’m at now. Yeah. That makes total sense. I think a lot of us kind of followed a very similar path of, you know, maybe we initially were thinking about doing something else. Like, I was initially interested in business law, and then this kind of just came up and I got interested in it and, you know, here we are.

I feel like there’s, there’s, there are versions of this all throughout, you know, history. The law changes to match technology, and one of my mentor Uh, followed some of that in the ’80s with, uh, basically aviation law Mm-hmm There was a, a lot of big changes in aviation law that happened, and he actually got really heavily involved with that by being part of the litigation about, uh, over the Challenger.

Yeah. And so you never know how you’re gonna end up backing into s- these things sometimes, and it just… You know, things change, so being flexible and able [00:05:00] to adapt certainly helps. Absolutely. Um, so, you know, you’re a certified AI governance professional. I know that a lot of lawyers are worried about AI as it relates to the practice of law.

Do you personally see AI as a risk or an opportunity for lawyers, or maybe both? I see AI as a tool. I think that there is so much hype in so many different directions. I routinely joke with my clients about AI issues, say I use AI probably more than, uh, most people do. I’m also as big of an AI skeptic as you’ll find.

I don’t take any of the comments coming from any of the current leaders in AI at face value. Uh, I assume that it’s all puffery and Uh, so it’s… The, the thing about it is, and I actually learned this when I was doing my legal technology consulting and actually [00:06:00] focused more on the ar- the issue of social media.

When it comes to lawyers, one of the things you have to bear in mind is there’s pretty much nothing new under the sun, and regardless what comes along, the rules still apply. Mm-hmm. So if you couldn’t do it yourself, you can’t ask a paralegal to do it. If you can’t ask a paralegal to do it, you can’t ask a social media platform to do it.

If you can’t ask a social media platform to do it, you can’t ask Claude to do it. It’s not that complex. And if you’re going to outsource the writing of a brief to a junior associate, to, you know… I mean, even before the generative AI explosion, the outsourcing of writing legal documents to India was a very, very big thing.

Are you saying to me that you trust the outputs from a non-legal AI system more than you trust the outputs from a legally trained licensed attorney who happens [00:07:00] to be in Bangalore, such that you will read one but not the other before submitting it into a court? Mm-hmm. It’s if you treat AI like the tool that it is, you’ll be fine because you’re not going to use it on things that it doesn’t make sense for.

You try it on anything else. Um, there’s, you know, a, a long history of getting great things out of using things off-label, to use a pharmaceutical- Mm … uh, term. And I think that’s perfectly valid. I think there’s a lot of experimentation that goes along and, you know, good things that can be tried. But if you are taking a system that you know doesn’t have adequate security built in, and you are relying on their representation…

I’ll just use, uh, a generic, we’ll call it a generic legal AI tool that is 95% [00:08:00] just a wrapper around either Claude or, uh, ChatGPT, meaning it may filter the language, it may change how the output looks, but it’s still putting primarily all the information through those platforms. If you’re relying on those platforms to protect your data without actually asking what their contract with OpenAI or Anthropic looks like, you are not doing your due diligence.

Just like you wouldn’t ask your, you know, you wouldn’t ask Iron Mountain, who’s taking all of your documents, uh, and, and storing them long terms, y- y- you would, you would make them sign a form saying that The– every single aspect of what they do has to comply with your legal obligations when it comes to confidentiality and the attorney-client privilege.

But you’re not requiring these AI tools to provide the same level of assurance, even though they’re getting the same information, and you’re relying on their representations [00:09:00] that things are sandboxed, things are kept internally. You just can’t do that. You have to treat it like it’s any other tool, like it’s any other vendor.

At the same time, I think if you are expecting to turn around and have your practice streamlined into a, you know, money-making, just, you know, fire and forget, I don’t have to show up, uh, to work but Monday through Wednesday, and Wednesday I leave early, having AI agents running all of your tasks, filing your documents, and you’re pulling down your research.

I think if you think that’s going to happen, you are either so deep into the founder mythology or you’re really not paying attention at all, and you’re gonna find yourself in a lot of trouble. Absolutely. Yeah, I saw this tweet the other day that said, um, that for some lawyers, AI is actually leading to more billable hours [00:10:00] because they have clients that are going in to ChatGPT themselves and asking ChatGPT to write a contract, and then they ask the lawyer to review it and, uh, make adjustments, you know, and, and make sure it’s actually good.

And so it’s leading to a lot more billable hours because this AI is creating, like, nonsensical contracts, and then the lawyers have to go in and fix it, which I thought was kind of interesting. Well, and, and, and you know this too, like one of my favorite examples is dealing with something that’s like a privacy notice.

Uh, you know, you automate your privacy, you automate privacy notices for people, and that’s- Mm … you know, so I would say in some respects you, you know, could be argued you’re cutting in on some of my business a little bit, but I end up writing privacy notices that are very, very specific. Uh, and I would rather have a company that puts out good automated privacy notices for all of the websites out there that are way out of compliance than, you know, have all of them come to me after they’ve received, uh, [00:11:00] notice that they are in violation of the California Invasion of Privacy Act and are being sued by the same guy.

I won’t say his name. Everyone knows who I’m talking about. We all know his name, yeah. Um, you know, that’s There’s– The funny thing about privacy notices in that respect is that I see a lot that are drafted by ChatGPT, and I’ve actually come to the conclusion, I’ve started telling my clients this, “Look, we can sit down and have a two-hour-long meeting, uh, bring your marketing team, bring your IT team.

I can write you a privacy notice from scratch, and I’d put money that it’s gonna take me less time to do that than to try to update the one you’ve- Yeah … written.” That being said, I have seen, uh, several clients bring me privacy notices that are very good. Um, you know, these are clients who took the time to write a detailed prompt the first time, and then followed up with more and followed up with more, and used the capabilities within ChatGPT to research other [00:12:00] privacy notices and pull down important information and synthesize, you know, 50 different privacy notices in one industry to, okay, what are the key terms here, and use it.

And so you can, you can get very good stuff. But the thing about it is, is I think most people use generative AI, uh, uh, gener- generative AI right now as a way to do something quickly that either they don’t want to do or didn’t do before. Yeah. And so you’re getting, you’re getting a one, a one-pass draft.

And it– Yeah, I’ve– My finding has been that it doesn’t necessarily reduce time. Now, that doesn’t stop certain clients, especially large institutional clients, from flat out insisting that costs go down There, and there are, and there, in my experience, those pressures are oftentimes directly unrelated to the individual work or the quality of the work being performed, but re- you know, relate a lot to what we would refer to as more commodity style [00:13:00] work.

The funny thing about commodity style legal work, though, is that it’s not like what you think of the normal definition of a commodity. It’s– A normal definition of commodity, commodity is something that is identical, repeated, and available at, you know, in, in large quantity. Corn, wheat, you know, things like that.

Things that the supply will go up and down, but you’re not really worried about one kernel of corn. And they are, they’re all reproducible and everything like that. The thing about commoditizable legal work is that it can go from anything from very basic form recreations, you know, your, uh, your LegalZoom creation of a basic LLC and a will, all the way up to extremely high-end technical patents.

And so, you know, what we’re talking about reducing the cost on, I think is It’s oftentimes unrelated to the quality of the work, and I think that’s going to [00:14:00] create some interesting incentive structures as we go forward, but- Yeah … we’ll see how that works out. Yeah. Also, just to clarify, um, we have a lot of lawyers using our service for their clients.

Yeah. Um, so we try not to take business from lawyers. We do work, uh, together, um, with them as well, which is, um, a, a pretty fun, fun time, ’cause writing privacy policies sucks. Um, it’s, it’s terrible. So anything you can do to make it faster and easier- Mm-hmm … is always a good thing. Um, so today we’re gonna talk about data inventories.

Um, and you’ve written extensively about this, and I, I think this is a really great topic. Um, so to start us off, what is a data inventory, just in general? On very, in very basic terms, a data inventory is a list of what data you have. Uh, it typically covers things like categories of data that you collect, how you collected them, where you keep them, how you keep them, [00:15:00] how those categories are used by whom, and kind of- It sets you up to identify the life cycle of your, of the data that you manage within your business.

Now, typically speaking, when we’re talking about a data inventory, we’re talking about personal information, which means data that is protected by, uh, state or national level privacy laws or sectoral privacy laws, even, you know, things like, uh, industry standards like PCI DSS, things like that, where you have a legal obligation in some way, shape, or form.

That doesn’t necessarily mean that a data inventory needs to be restricted to just personal information. In fact, a lot of companies that I work with end up adding on an entire section to their data inventories to deal with data they’re legally obligated to protect but doesn’t necessarily qualify as personal information.

Among the, probably the biggest ones there would be contractually protected information, certain versions of trade secrets, software development information, [00:16:00] things like that, so they know where they’re keeping this data and who has access to it. But on this very, on its very basic level, it’s a list of what data you, you have in your business.

So how is a data inventory different from other things like a data flow map or a system inventory? They’re related. There’s, the data flow map is, I’m a visual person, so I, I, data mapping to me is a very not just important but incredibly useful tool, and that shows where data, uh, where data moves both within your organization and, you know, depending on how you’re setting it up through vendors and, and other outside entities.

But in order to keep those particular tools, the system inventory is also it’s a system of the tools that you have, your software, your devices, your, uh, platforms and operating systems, your, your SaaS applications, things like that. It’s important, I think, to not commingle too many of [00:17:00] these important lists of information because you do need to keep separate the data you have from the systems that you have.

There’s gonna be a, a map that shows how data moves from one spot to the next, whether it’s, you know, being moved internally, whether it’s requires certain levels of encryption in transit, whether or not there is even, you know, an option for, you know, essentially setting up huge vulnerability monitoring systems so that if any of that data sees the light of day, alarm bells are going off throughout the entire company.

Like, for example, if Coke’s formula, uh- Mm-hmm … got loose, I think you would see, you would see most of the people in the, the Coke building running around with their hair on fire. But, you know, so keeping those separate I think is very important. But that’s the, the key difference is that they are, they are And when they’re most useful.

They are designed for one specific thing and should be kept that way. So why is a data inventory so foundational to a privacy program? [00:18:00] I would say the most important or the most, well, the clearest reason why it’s foundational to a privacy program is you can’t protect what you don’t know you have The whole idea of protecting privacy means putting a barrier around data that you have, you know, an obligation to protect because failing to protect it would result in the disclosure of information that would be damaging or potentially damaging to someone else.

The security that you’re talking about can’t be set up without knowing what data you have, without knowing who has it. If you don’t know that your entire marketing team is taking the feedback responses that they get from surveys and saving it to various Word and Excel documents on their desktop, you have absolutely no control over that information.

And you also have no ability to set up, you know, real processes and [00:19:00] systems that allow your people to use their system securely. Mm-hmm. A lot of people might say, “Well, it’s just easier if I save it here.” Well, it might be easier right now, but that also tells me that the company has not found a way or worked with that, the com- their employees to find a way to make that easier or to make it more straightforward.

It’s not always going to be a, an easier process to do something that is privacy enhancing, but there are plenty of opportunities to change established patterns to make things better, and you s- you simply can’t do that if you don’t know what is being collected, where it’s being kept, who has access, and how it’s being used.

Yeah. I would also think that if you don’t know where your data lives, you can’t, um, for example, the, the rights to access or the rights to delete, if you don’t know where that information is, you can’t give the consumer those rights. Well, and, and there are critical caveats to those rights too, right? So you [00:20:00] collect information f- under most privacy laws, you collect that information from an individual that is subject to the DSAR, the data subject acc- access request.

But if you collect that information through other means, it may not be. Mm-hmm. So not only do you have to know where the data is, what data you collected, who’s got control of it, but you have to know how that data was brought into your systems because you may not have a legal obligation to delete data that you obtained from the lo- from your local government that may have been, you know, brought in and, and may not only just not be subject to DSAR, but might be, might have its own carve-out, its own, its own, uh, protection that allows you to keep it.

So yeah, if you don’t, if you don’t know, you might miss things that you’re supposed to delete and you might delete things that you might not have to. Yeah. So, you know, you talked about, okay, you might be subject to these laws and, and therefore you need to have this. You know, what– for companies that are not subject to any privacy laws, let’s say, why should they still have a data inventory?

Well, I think [00:21:00] first and foremost, we are running into a, uh A paradigm where the company that is not subject to data privacy laws, uh, is sort of like the white rhino. Yeah. It is rare- It- … for sure. It is rare. And, and one of the things that I think, and a lot of, a lot of my clients are still very surprised by this, in both the data privacy and cybersecurity aspect of what law they’re allowed to comply with.

Most of them think that if they put in their contract that this is governed by the law of whatever state they’re in, and if that state doesn’t have a data privacy law, then they don’t have to worry about anything because they’ve just said, “You agreed to be subject to this law.” Well, the people who wrote the data breach notification laws, the people who wrote the privacy laws s- wrote them specifically to circumvent any of that contractual language.

In the United States, privacy laws are based on the residency of the person whose [00:22:00] data you have. GDPR is even different than that. GDPR is based on the location the person was when the data was collected. So if you collect something from a resident of France while they’re visiting New York City, it is not protected by GDPR.

But if you get it from them, you know, while they’re on a layover in Dublin, it’s covered by GDPR. So you’ve gotta, you’ve gotta know a lot about your data and how, and where you’re collecting it, how you’re collecting it, because the idea that these laws won’t apply is fast disappearing. Uh, 22 states now, 46% of the US population, I think, covered by a, uh, a general privacy law, plus Florida, which has a more of a sectoral law.

The bottom line is you can’t– If you run a business that is anything other than a, a very local business, you pretty much have to expect that at [00:23:00] somewhere down the line you’re going to be collecting the data of someone whose data is covered by a privacy law But let’s even go beyond that and say that you don’t, you’re not worried about that at all.

There are numerous risk management, you know, reasons and bases why a data inventory actually helps you out anyways. First, I’ve had remarkable success just, you know, talking to my clients about turning things like data privacy into a business advantage. Mm-hmm. People want privacy now. So even if you’re not obligated to provide it, if you can provide it, you make that lead part of your pitch to your customers and it’s the– I mean, the numbers are there.

It’s, it’s a– You basically can double your, your customer base by making privacy a big issue. It also helps with things like vendor management if you need to, especially if you’re in an in- industry where you have a lot of vendors doing a lot of different things, [00:24:00] a data inventory can help you map what information is going where.

I’ve dealt with a number of clients who had, I mean, just even in website issues, have had websites that have been operational for 10 years or longer and had seven or eight different analytics providers- Yeah … attached to one website. Well, that’s a problem in and of itself. But then one of the funny things we’ve found when we dig in is we find that there are analytics providers who are receiving information from other analytics providers directly from the website.

No one knew this was happening in, you know, without disclosure, it’s definitely not legal But because no one had been monitoring where, where this data goes and what happens with it, because they, you know, when people started throwing up Google, Google Analytics when it first started, they were just thrilled to be able to say, “Hey, there’s someone from Thailand on my, you know, on my e-commerce page,” [00:25:00] and didn’t care what that meant.

And so there’s, I mean, there are a ton of different applications in a business for data inventory, just knowing what your, what your business does, data retention, insurance issues, incident response. Um, even if you’re, if you’re a company that has any interest in developing anything with AI, one of the most im- important things that AI can do for a company is it can give value to data that didn’t necessarily exist before.

AI systems, be they generative AI or, you know, more, more direct discriminative AI systems are desperate. They are hungry for new, real information. You get a better trained AI by having more real information, and if you have not been keeping track of what data you have, you don’t have any idea how valuable the AI you could build internally could be.

Or you have no idea whether or not the [00:26:00] data that you have could be sold to an AI developer for a significant amount of money. You wanna, you know, boost your end of year revenue. You want to maybe stave off a bankruptcy, maintain solvency, or you’re in bankruptcy and you want to avoid, you want reorganization instead of liquidation.

You may have inventory or you may have data inventory that has value, and if you don’t know what you’ve collected, you’ll never know how much value that data really has. Yeah. It’s interesting that you bring up, you know, people don’t have, don’t know that they have like five, six analytics tools on the website, and there’s nothing more scary than talking to a client and being like, “Do you have analytics tools on your site?”

“No, I don’t. I’ve never seen anything like that.” And then they have like four or five analytics tools, and you’re just like, “Okay, so you’re running all this. You’re violating all these laws, plus you don’t even check any of this data, you know? So there’s really no reason for you to have any of this on the site.”

And, you know, it’s just like, “Well, my website designer added [00:27:00] it, and then I had another designer that added something else, then my marketing team added something else, and nobody ever brought any of this up. They just did it.” The favorite v- the favorite story that, that I have a, a, of that particular issue was one of my clients who had three analytics, uh, connections, one of which was a company that no longer did data anal- analytics.

They had pivoted their entire business. Uh, but they were still regularly receiving- Yeah … information being sent from this website. And review your sites, people. Review your sites and just remove stuff that you don’t need. Um- The pixels are the ones that, they, that I think are, uh, the, the most trouble just because they’re The, the information they collect is very insidious.

Mm-hmm. So many website users have no idea they even have them. And even ones who did, they th… You know, I b- I’ll be on a Teams call with someone saying that we say, “We swear we just took that down.” And I’ll just share my screen showing the developer [00:28:00] tools loading their website- Yeah … loading up and spinning up and sending information to Facebook and LinkedIn and Google.

And yeah, those are, those are the ones where I still, I’m still baffled as to how the companies that are really getting the, uh The difficult end of that particular one are the companies who have the pixel, not the companies who use the pixel to hoover up sensitive data. Yep. Oh, yeah. Yeah. It’s, it’s wild.

Um, so let’s say we’re ready to start creating a data inventory. What are the core elements that we should be including? So first, uh, you need to, you need to decide what you’re collecting as in- for information, uh, on this inventory. You need to decide how you’re going to organize it. The best method in my experience is identifying categories of information.

You know, you got your [00:29:00] identifiers, your contact information, your account information, biometrics, health, you know, the standard, the standard data privacy style data categories, and then you add the source of the data. Uh, this can be interesting I’ve found because When you’re working with companies that have significant Like significantly different practices and, and we’ll call them federalized, um, you know, spread out business practices where a VP for marketing can authorize something and the VP for advertising can authorize something.

And you would think those two things would seem very aligned But not only will they be doing entirely different things, neither one of them will have the first clue, not that, not just that the other person was doing that, but what the other person was doing at all. Mm-hmm. So identifying the source of the data and who is [00:30:00] collecting it, how is it being used.

Um, I would also say to, sorry to jump back on the, the how it’s being collected, identifying the method of consent is always worthwhile, too, especially depending on the type of data that’s being collected. You’re going to be obligated if it’s sensitive information or if it’s information subject to a specific legal requirement like, uh, using a phone for text messages or t- uh, images, uh, under, you know, usage and likeness rights, things like that, where you have to maintain very specific types of consent.

So tracking how you’re collecting, how you’re maintaining and logging the consent, then you identify where it’s being kept. And a lot of this is gonna come down to, in my experience and in my opinion, how effectively you have laid out your general data handling processes and [00:31:00] procedures internally. You need to have a data classification policy.

You need to identify, like, what, what data, you know, falls under the restricted, confidential, you know, non-public and, you know, non-public but we don’t really care if it became public, uh, categories. And by doing that, you have a much better idea of where you should be looking for things and where you need to, you know, really emphasize that things not be, uh, kept off books or through shadow IT, things like that.

Um, you know, identifying who has the rights to the data is, is a, it’s a nice-to-have in my opinion. Uh, I don’t think a data inventory– I think you need to handle that more, that needs to be addressed by other policy. That needs to be addressed by your, your data access policy and your, uh, you know, your least privilege appli- applications.

It’s a nice-to-have, though, in a- Mm-hmm … in a data inventory. Uh, the people who get it, who is this information shared with? [00:32:00] That’s one of the big things you find out when you’re one of the… I have not had once a data inventory not result in some shocking revelation about information being collected and given to a third party that not only didn’t make sense, but no one knew about, uh, or no, no one with, you know, authority knew about.

Those are always, you know, the big, the big thing. So what data you collect in categories, who collects it and how, and how is that consent maintained where needed? Where is it kept? And who gets it are probably, in my mind, the biggest ones. Now, there are other things that you can add into there that, again, are nice-to-haves, like data retention policies, uh, which are becoming a much bigger issue in privacy laws now.

California’s always had a requirement that you only keep it for as long as needed, but they are really starting to, in their enforcement, put a lot into making companies declare how long they really keep things. Um, identifying security controls if you need to [00:33:00] is another, is another nice-to-have, probably more important on specific things like financial transaction information, health information, the real sensitive stuff, the, the kind of things that not only could be damaging if they got out, but would be damaging to individuals.

And I, as much as I respect the, uh, the categorization of sensitive information under most privacy laws, I do think that there are two different kinds. They’re all damaging if they get released, but there are some, I think, like, you know, credit card number plus- Yeah … expiration plus PIN that rise to the level of, of creating a much more likely level of harm if they were to be disclosed than, say, necessary your union membership.

Although we have, historically speaking in this country, we’ve not done well with, uh, with, uh, protecting people’s union membership. So, uh, but those are the, you know, those are kind of the big things. I’d say one thing that you probably really want to address is [00:34:00] Who owns the data inventory? That’s something that is overlooked a lot, and a lot of times it’ll be assigned to someone who is maybe good at organizational, uh, projects and things like that within an, an enterprise, but not the role.

It’s not, it’s not assigned to the role, it’s assigned to the person. So when the person moves on or gets promoted or gets busy, the data inventory itself sort of falls off because it’s not a role or institutional def- ins- institutionally defined ownership. That’s actually probably one thing that I would say is, uh, a need to have that, uh, in addition to the categories of things you’re, you’re recording at the top, who does this- Mm-hmm

uh, is necessary. I’d love to see, um, you know, speaking of shocking revelations, like a Maury style privacy professional show that’s like, “You are the data holder,” or, “You’re– You did share data with this person,” instead of, “You’re, [00:35:00] you’re the father,” whatever. I think that’d be great to watch. Yeah. I think if, I think if people fo- if, I think if people really realized what they did, uh, with all of this information Yeah.

It’s- I think if, I think if they had to sit and actually watch a panel of people talk about what the people on the panel did with that individual’s information, I think you’d actually get more, more of the individuals storming the- … panel. I think that that’d be your, that’d be your, your really good spring around.

Yeah. Like, “You had my data end up on, on the dark web. Why did you do this?” Um, so in terms of, like, actually putting this together, what are your thoughts on using tools for putting together the data inventory, or is a simple spreadsheet enough, or it kind of depends? I am a really huge fan of the spreadsheet approach because it allows you to start, uh, without overcomplicating the issue.

Uh, the tools that are available, there are, there [00:36:00] are, there are good tools out there. I don’t– I actually don’t use that many of them anymore. I don’t, because I’m not involved in the, on the company side. I’m, you know, as outside counsel, I end up doing more just, uh, involvement in the actual procedure. I would say whatever works with your company, whatever, you know, works with your budget, but also it has to fit what I described before, is it needs to have an owner.

Um, the biggest thing that those tools can do is it can kind of create a, uh It’s a false sense of automation. On one hand, it would be great to have a tool that would track and update the location of information as it moves, and could, you know, potentially using agentic AI, identify when certain information is being used in ways that are not tracked on the inventory and could flag that or [00:37:00] add it and maintain it.

But the problem is, is that at the end of the day, for a data inventory to do what it’s supposed to do, it needs to have human eyes on it. Mm-hmm. I, I fear that using some s- some tools, some of, some of the tools that are out there can be so intimidating that it creates an effect where you never actually use the tool itself.

On the flip side, if you create a really extensive spreadsheet that, uh, anyone who has worked in a business or organization with someone who is really good at designing very, very good-looking Excel-like tools will understand right away that that tool becomes nearly useless as soon as that person is no longer building and maintaining those tools.

So you run that, that reverse risk too. So you– There’s– Data privacy is, uh, is idiosyncratic to the [00:38:00] company. You have to fit, just like I, I say the same thing about cybersecurity policies and procedures. I could write the exact same policies for two different companies, and they would be implemented differently, the results would be different just because of the unique circumstances of those companies.

I think the same is true with a data inventory. You’re gonna have things unique to the individual company that’s gonna make it make more sense. Don’t f- it’s not a fire and forget exercise, though. You can’t, you know, taking it once is a snapshot, and a snapshot is a wonderful thing to have to look back on exact, on how things looked exactly on that split second of that day when you took the snapshot.

It does very little once any data has moved. So that’s, you know, it’s where I think we’re gonna see a lot of interesting opportunities to create new tools. I mean, we’re still in a, I would say, the era of AI that I would not rely [00:39:00] independently on, I don’t know, anything- Yeah … that is being come out or that is coming out that you have not built yourself.

And even if you have, the, the other major thing I see all the time with clients and friends who are putting together these agentic AI systems is it is remarkable how much they have to fix any time the models adjust. The, the pitchforks that have come out since, uh, 4.7, since Anthropic released 4.7 has been almost to the level of what happened when ChatGPT re, uh, released 4.0 last year and I don’t know, I think it, it was funny to me that so many users were so upset that their AI was no longer being a sycophantic yes man, but-

it’s, you know, when, when you’re building something that’s based on these– uh, that’s specific. When you’re a wrapper around someone else’s product, you are relying entirely on that product operating as it did when you designed [00:40:00] it and when you tested it and when you fine-tuned it, and any little change has potentially huge ramifications.

Mm-hmm. And I just don’t think right now we’re at a, we’re at a place where I would rely on any of that- Yeah … without significant human overview, which means that, yes, you’re going to go to your local chamber of commerce lunch and someone’s gonna talk about the efficiency gains they’re making. First of all, I always say that when you hear someone about the efficiency gains they’re making by implementing AI, I equate it to when s- when a gambler talks about their winnings.

Uh, if you’re hearing how much they’re gaining, that means that they’re not willing to tell you how much they lost to get there. Mm-hmm. And I think that’s a, a really big thing to remember. But if you’re doing AI right right now, I think you’re getting efficiency gains and you’re, you’re getting some limited benefit [00:41:00] But that’s what you’re getting.

Yeah. And I think that, I think that you’re, there are gonna be tools coming out that overuse AI with data inventories, but it is potentially a, a very… I don’t know, it, it’s, it seems like a place where, uh, agentic AI could be very useful if it was done right. Yeah. No, that, that makes total sense. Um, last question for you.

Um, how should you approach keeping the data inventory up to date and current? Uh, ownership. Someone’s gotta own it. Uh, it can’t– And it’s gotta be owned by a role. It can’t be owned by just an individual. It’s gotta be something that, uh, is considered to be, uh, an essential part of their job so they can’t set it aside, especially indefinitely.

Uh, they, it, it’s gotta be something that completing it is, and maintaining it, and keeping it up to date is necessary so that it doesn’t simply go away, and it has to be given the appropriate level of [00:42:00] respect by management. So here’s what management can’t do. Management can’t say, “Oh, you’re just working on the data inventory.

I need you to do this first.” Because that snowballs and that, that becomes– And just like any leadership, you know, oriented situation, you’re talking about, you know, giving your employees cues as to what you consider important, and they’re going to treat that as important. So making it, you know, a serious and legitimate part of how you operate your business, and having someone own it.

Yeah. That makes total sense. I mean, compliance always comes from the top. You can’t have management say, “Oh, just put this aside for now,” or, “Oh, we’re not gonna follow this now because this is more important.” Um, you know, and th- that’s how it all slides to the wayside and nothing ever gets done again for compliance.

Yeah. No one likes being the cop at a frat party. Yeah. Awesome. Well, Brian, thanks so much for, for coming on today and, and sharing your insights. I really appreciate it. [00:43:00] Thank you. And, uh, for our listeners, make sure to subscribe to Privacy Lawls so that you don’t miss our next episode.