23 Nov 2023
In our fourth episode of Champions of Digital Trust we speak to Tara Taubman-Bassirian, a French lawyer with a corporate law background who discusses her expertise in digital and communication internet law.
Tara emphasizes the importance of trust in the digital world, particularly in data collection. She highlights the significance of being GDPR compliance and suggests that companies should focus on gaining trust through transparent privacy practices, such as using privacy notices as marketing assets.
Tara advises against unnecessary data collection, emphasizes data minimization, and discusses the importance of limiting access to sensitive information.
Hello and thank you for inviting me to speak with you today uh my name is Tara tobman ban I am a uh French lawyer with background on corporate law but I've have U great interest on um anything digital and communication internet law since I did a specialization on that subject I love anything new technology so this is why I went into that area and I find it really interesting because it's a fast moving area where you have to constantly update your knowledge and try to find way of making it work smoothly so we're all kind of building up together on something um I find that very interesting so I use my knowledge uh advising companies on being compliant online
How I can contribute to trust um I think trust is fundamental um I've seen companies collecting data uh but if they don't have the trust of the customers they can't always believe what they are collecting is accurate for example I guess if you look many of us privacy people are born on the 1 of January of some year because I don't want to give my real birthday but you're asking me and you don't even tell me why and I feel like you don't need to know my date of birth so I'm born on 1 of January or something so until I have the trust why would I actually be telling you the truth so your marketing people would have collected a lot of data about me but because you they didn't have my trust what they collected is worthless that's why I think trust is very important uh how to gain trust uh well we can start by um following the regulation that's the first step this is what I work with with companies and saying you have to be gdpr compliant when you are in the EU or if you're based outside and you're processing um EU data um gdpr is a regulation that's been adopted by a group of um Nation this is why I think it's it's very strong it's not the best ideal law but it's something that can work all over the Europe so because of that it's it's a very strong regulation um it's not perfect nothing is perfect it has to be working with lots of different legal system different culture because also previously has very strong uh cultural uh element into that but basically I find jpr is just common sense a lot of it is common sense my one of my favorite principle is data mization and I keep when when I start working with companies and I look let tell me what the data you're collecting but quite often they don't even know what they're so they keep telling no I don't have that do you have cookies on your no we don't have cookies what's that this is a cookies oh we have cookies I because someone designed a website without even really telling them or maybe they didn't listen but so I have to say that why do you have cookies if you don't even look at it to just take it out I even are often advised to advertise on your compliance because this is how you gain the trust uh don't simply put a privacy notice that is boring just because you have to put one make your privacy notice your marketing asset tell the people if you come to my website be free to do whatever you want and you need to do what you won't be tracked this is a gaining trust by marketing advertising which for me worth more than we're not going to tell you we might record you we might follow you and we might sell your data to someone we're not going to tell you because this is not nice to say um most of the time it's not the company itself who is benefiting from it it's a third party that is monetizing that data it's a Google analytic behind that is playing with the your customers data so you're losing your customer trust the benefit of a third company that you don't care about so don't collect data if you don't need it it's been kind of a Google Hye uh since data collection processing and storing has became really very cheap to just collect and then we will see later on what we do and Google started by give us these shiny Gmail accounts and I was one who was invited by Google to have my free Gmail account so suddenly we thought oh we actually don't need to delete any any um email because we can keep it as long as we want well no this is a habit that we need to break we should delete and email inbox should not be our archive I keep saying that especially with lots of La F who don't want to leave Gmail because they tell me but it's so easy for us to have all our FES on a Gmail I said no think about it why do you do you give all your confidential clients data to Gmail and Google you shouldn't you should protect it you are fighting for your confidentiality and lawyer are so strong on that don't use the Gmail delete the data you don't need there are other ways of archiving emails or or communication that you need but inbox is not a storage box so this is on data minimization and then we talk about limiting uh access to data quite often companies allow too many employees accessing data this is wrong for every kind of data they should be thinking of it who should access that we know this famous Morrison case um which in which a employee who was um Angry against his employer Morrison Supermarket he was given a USB key with all the HR data to pass on to the um Auditors he was angry he said okay I've got all the HR data I'm gonna make a copy of it and I'm going to send it to the news and put it on the do Market Morrison had nearly lost the case but they were lucky they had a very good lawyer and eventually the highest court says they are not liable but it could have well be a case of vicarious liability of the employer who should have been negligent by giving a USB key with all the data HR data to their employee with whom they had issues who had this um disciplinary sanction so each time each employee there should be a thinking of what he should access and which way USB key is not really the way of you given HR data they are USB keys with password companies should use them much more often because even the best employee with the best intentions take the tube take a taxi lose it it's lost and someone access all the data you just need a password encrypted key it's not very expensive and I think lots of these big companies can afford it so limit limitation of who is accessing and minimalizing that data then we come into the step of securing data security data my favorite article 32 gdpr says it is an obligation to take the appropriate security measure to secure the data if you want your client to give you data they need to be trusting you who share the data and you have to be trustable while securing the data that you've been given encryption today it's very easy when I'm told it's expensive is complicated I say well open a phon account I'm not doing advertising pH have no link with them but I really like like the product they're offering it's free super easy put a password create encrypted link share it with whoever you want please don't send the key with the same email right after giving a lot of free tips here so we should uh the episode we need to T we need to put in the tagline Terra terra's free tips for yeah I will I've got I've got um I've just signed up to extend this but it doesn't seem to have caught up with this this this session so we've only got five minutes left and then it will kick us out.
I would love a magic wand that would wake up all the DPA in one go they're all snoring I want them to wake up to start enforcing, but not necessarily with big fines I don't think big fines to big companies is the solution I would like to respond to complaint actually look why the company has not been compliant and tell them how they can be compliant give them three months to be compliant.
I'm one privacy person who is very open on LinkedIn and nothing is perfect LinkedIn is not perfect but it's a great tool for all of us to exchange our ideas to exchange on knowledge and to be contacted so my name Tara Taubman-Bassirian and I can be find on LinkedIn please don't hesitate you can contact me I also got my own website datar rainbow. in which I publish a lot of my tips and fresh comment usually on things that happened in the word of previously data protection and AI amazing thank you so much Tara sorry pleasure nice talking to you.