Ross Saunders (00:00)
So today we're going to be talking about customer and consumer privacy and rights and how doing this well protects everyone involved. the business, the end customers, clients.

And my guest today to talk about that is Brandin Chiu, who is the CTO of Spoonity. Welcome, Brandin.

Brandin Chiu (00:20)
Hi Ross, happy to be here.

Ross Saunders (00:23)
Now, Brandin has nearly two decades of software engineering excellence under his belt, and he's obsessed with bringing together the systems, the processes, and the people that make great engineering organizations. In his free time, he volunteers and provides mentorship to a variety of organizations around Canada in the fields of leadership and software engineering. He cares deeply about consumer privacy, digital rights, and he brings that passion with him every day at Spoonity.

Brandin, tell us a little bit about Spoonity.

Brandin Chiu (00:53)
Spoonity is the future of loyalty. We offer the complete package of rewards, gift cards, digital marketing, and analytics, as well as starting to bring AI to help our merchants accelerate growth. Our highly customizable platform comes back with a deep understanding of our merchants' operations and businesses so that we can act as a partner and springboard rather than a distraction. We've helped some of the biggest brands, in particular in Latin America, grow tremendously and operate on every major continent on Earth.

the future of loyalty is here.

Ross Saunders (01:26)
Fantastic. privacy, digital rights, those are all a topic that we hear all the time. I've worked with a number of software companies and things where there are consumer advocacy groups that are coming in and they're looking at companies to see what kind of privacy you have in place and how does it affect the consumer. I think it brings in a very

a very real struggle of balancing compliance and kind of sticking to all these rules that the regulations give us and towing that line of like, you still want to extract business value, you still want to get analytics out, you still want to do this to benefit the business. And you guys are very much in the consumer space and we're seeing these digital rights. that's kind of...

pretty much be where our topic focuses today and where that line sits and how do we address that challenge as you move around the world, because like you mentioned, you've got all these different regions that you work in. So yeah, let's take a look at how Spoonity manages all of this and navigates this. Let's kind of set the scene. Brandin, me a bit about the team that you're in, the tech stack that you have.

What does that look like in your environment?

Brandin Chiu (02:46)
Yeah, so we've been around since 2012. We're about 30 heads right now, undergoing some pretty intense growth over the last couple of years. So our head count will probably double in the next year and a half, after a couple really good years, ⁓ mostly bullied by a recent expansion in Mexico. On the tech stack bit, we are...

We are a consequence of that being around for 12 years. So we're a pretty traditional lamp stack running in VM's hybrid cloud. So there's a lot of technical debt inside kind of that infrastructure model.

that'll come up throughout the conversation around what that means for compliance. So we run partially in Google Cloud, partially in AWS. At some point, we were partially in a local data center. So we still have a bit of that startup DNA of being scrappy and making it work wherever it needs to. ⁓

Ross Saunders (03:42)
Yeah,

I know that feeling. think been there myself quite a few times, and having those different spaces. So what did privacy look like for you kind of when you started out? Was it a consideration? How did that come to be?

Brandin Chiu (03:57)
Yeah, the main component of privacy that mattered to us when we started, at least the practical ones staying with the theme of the podcast, would have been mostly around email consent. We're based in Canada, our offices are in Ottawa, so we had some constraints around...

PIPEDA which is our kind of privacy compliance framework. But email consent was really the big one that everyone felt.

CANSPAM was kind of kicking up at around that time too. It was a big topic of conversation. So we knew if we started sending emails to people who didn't want them, it would be made known in one way or the other to regulators. So we had to ensure that that was a piece that we were really deep diving on.

Ross Saunders (04:39)
And you know, with that now, so you've got that, that kind of email consent, did that evolve? Did that go into a particular broader challenge or what kind of, how did you start that journey to addressing that? And did it lead to sort of other components that you needed to comply with that you needed to get into?

Brandin Chiu (04:59)
Not right away, not in those early years. So I joined in 2015. Email compliance for consent management was really already there at its most basic bare bones level by the time I started. We pivoted very quickly from kind of the Canadian market into the Latin American market in 2016 with a launch in Ecuador and a few other.

neighbouring countries. And from there is when we started having to ask questions of does the compliance structure need to look differently as we're expanding these markets. The answer was yes with a big asterisk next to it of that, know, for the most part from what we've experienced through our growth.

is that most jurisdictions are friendly, so long as you are blatantly not going out of your way to kind of circumvent or ignore them, and your names aren't meta or Google. So we've had great conversations with regulators, with merchants, with other compliance stakeholders. So we were able to really ease into kind of what that looks like. And for the most part, we are

90 to 95 % compliance in all the jurisdictions we operate in. That is going to range from email compliance, privacy compliance, data sovereignty compliance, as like the big ones. And for that, know, zero to 5 % where we're not always compliant. The conversations we've had with regulators have been really good. They've either given us time or it's been waived in one way the other. It's just it's not being an enforced requirement at our size.

Ross Saunders (06:41)
Mm.

Brandin Chiu (06:41)
So things like that have, for the most part, worked out so far.

Ross Saunders (06:44)
Okay, great. With those moving into kind of different regions and you have the different types of compliance that you have to do. I know from the clients I've worked with, it's sometimes a challenge. which one do you focus on? Was there a particular approach that you guys took for, know, we have to comply with eight or 10 or 16 different

Regulations, we're going to take perhaps the most complex one, or we're going to take one where we've got the most users. did your kind of decision process go around that? Kind of how you get to that compliance? Cause it's really difficult to comply across multiple regions.

Brandin Chiu (07:25)
Yeah, so we're a sales-led organization, so like most things, our kind of prioritization happened with where sales went. The good and bad thing about working in emerging markets like Latin America is that their compliance kind of thresholds are a little bit lower. So for a lot of the countries we were entering, they either didn't have anything or had one thing that was very new.

Ross Saunders (07:53)
Okay.

Brandin Chiu (07:53)
So it

wasn't like we were entering into like a HIPAA or a GDPR or like a really compliance heavy framework that we just we needed to do in order to do anything. We were able to kind of get started as we go. And for the most part, it kind of grew organically as we entered those markets through sales. And the ones that were prioritized would have been the ones that particular merchants were aware of. So if we were courting deals in Ecuador,

Columbia and Peru at the same time, but the only customer, the only one of those customers that was asking us about it was Columbia. We would prioritize Columbia first, go over what our kind of requirements for that looked like, and then kind of build out the rest as we went.

Ross Saunders (08:38)
Okay. And did you find, and I know you, you leaned into it a bit on the regulators and being aware of what kind of laws are around there. Did, did you have a lot of customers sort of leaning on you to, say you, have to comply or was there like a, I suppose, like a customer maturity in the privacy space when you went out there?

Brandin Chiu (08:59)
Yeah, it's definitely a mixed bag. For the regions we were entering where there was new regulation kind of happening at the same time, it was top of mind for people because they were worried about their exposure, or like our clients were worried about their exposure, so it would typically come up to make sure they recovered. We also had merchants that either knew or didn't know, but also didn't care. Their priority was building their business, making money, generating as much value as possible from their data,

Ross Saunders (09:08)
Mm.

Brandin Chiu (09:29)
They were almost like a malicious non-compliance that we had to kind of block them back from going back to the idea of, you know, protecting ourselves, protecting end customers as well as protecting our merchants. And then there's another group that's, it was more kind of ignorant. They hadn't run or launched a digital program before, so they didn't kind of know where they needed to be compliant and where they didn't. So we've, it's definitely been.

a mixed bag, wouldn't say of those three groups I named, I wouldn't be able to tell you which was bigger, at least not right now off the top of my head.

Ross Saunders (10:05)
Okay.

Out of curiosity with the ones that, like the maliciously non-compliant, I believe you said, or the folks that were kind of willful ignorance, in, not wanting to comply. One of the things I think I've found in my spaces of working around it is sometimes having to deal with the misconception that the second you've got privacy in place, it means you cannot operate your business anymore. And it's like, we can't do anything with the data anymore.

And that's not the case. you find it like there was a lot of education components involved in that with the clients?

Brandin Chiu (10:36)
For some of them, yeah. The ones that I would triage into that bucket of malicious noncompliance in particular, they knew what things they could and could not do and they were purposely choosing.

to kind of over index on the things they couldn't do because there was value there that they were aware of that they had been extracting prior to the legislation existing that they really just wanted to continue to leverage. So like the biggest example of that around something like email consent would be uploading bulk lists of customers and checking that box of like, yes, these customers have provided consent. I absolutely 100 % guarantee

Ross Saunders (10:57)
Hmm.

Hmm.

Brandin Chiu (11:16)
that they have done that, ⁓ sending out a mass message or marketing materials to those messages and then looking back and seeing your complaint and bounce rates spike to like 10 and 5 percent respectively. You're like, you definitely did not get consent for these, you do not have ongoing consent for these. And then in some of those cases that became a bit of an issue that we had to work out with them because they're...

Ross Saunders (11:30)
Ha ha.

Brandin Chiu (11:41)
implications for us. So we use AWS for sending our emails. AWS's thresholds for bounces and complaints are incredibly low. The SES threshold for complaints is like 0.1 % in a rolling period. So at one point, we spiked above 5 % within 72 hours from email campaigns hitting a couple dozen million people.

Ross Saunders (11:43)
Yeah, I was just going to ask.

Brandin Chiu (12:07)
So we had, there were some conversations that needed to happen there around like we cannot, no one is going to be able to support you in doing this. So we need to find a way to make this work or you're never gonna be able to send emails ever again. And that feels worse than sending emails to the people who want, who have elected to receive them.

Ross Saunders (12:14)
Yeah.

Yeah,

I remember years ago, pretty much when GDPR was coming around, I was working with a software company who they had a massive mailing list over the years. And a lot of it was implied consent, which was allowed up until that point. And they weren't actually in Europe, but they had some clients there. So they were aiming their compliance with GDPR. And I remember having such a...

argument slash debate with the, the director of the company, uh, because we basically said that they needed consent for everything and, uh, they were thinking rightfully so that they wouldn't have a lot of people on their list anymore. And this is going to affect their bottom line and things like that. And it was a very interesting exercise because we went ahead and did it and got the explicit consent and they were compliant and they lost. We, we worked it out. was 94 % of their list.

fell away, the director had a hernia. I didn't know whether I was still going to be consulting with them after this. But then when they looked at the bottom line, nothing changed on the bottom line because the people who were on their mailing list were actually the people who wanted to be on the mailing list and they were the actual customers that were buying. So it was a very interesting discussion.

Brandin Chiu (13:36)
Yeah,

that's the same thing we see on the loyalty space too, just in general. The vast majority of loyalty programs in every jurisdiction we operated in.

has really that top kind of 10 percent, the top performing 10 percent, carrying at least 80 or 90 percent of the value of the program. So yeah, shaving something like 90 percent of the email list, which is around the same number we saw with this customer I'm citing too, really had no impact at all because they either, a bunch of them just weren't real. So our, client was very clearly sourcing this list, not from people filling in forms and from other other means.

Ross Saunders (14:10)
Mm.

Brandin Chiu (14:15)
that I'm not going to hazard a guess at. And that everyone who remained on the list were their most loyal, valuable customers anyway, who were the ones that were driving all of the business.

Ross Saunders (14:26)
Okay. And, know, perhaps just hitting on a bit more of the technical side of things when you're dealing with these, consent mechanisms across different regions and things like that, presumably there might be little subtle differences and things like that. from a technical standpoint and architectural standpoint, were there challenges that you ran into, different things that needed to be addressed and back to the drawing board, or was it more you could patch it up?

How did that look?

Brandin Chiu (14:52)
Yeah, for sure. Legal was one. So we have an in-house, or sorry, we have a, we call it an in-house, but a fractional legal counsel that we work with on some issues like this. ⁓ Our merchants also have their own legal counsel that they work with on this. And there's obviously some natural language barrier concerns around...

Spanish-speaking nations that we operate in at this time and our existing. So every now and then we'd find conflicts in the language between kind of what can be done and what can't be and those errors around the margin had real impacts. And then from...

codifying that into a platform would sometimes be tricky where we would do something almost quite correct but not quite quite correct or vice versa. The one that kind of stands out the most is when we were working in Columbia they had this rule around what they called habeas data which governed partially consent ⁓ but when we were working with one client in particular and how

they told us we had to implement with it, is it required physical records of consent to be archived and managed somewhere. So customers would go into the store, they'd be given a piece of paper, a slip to fill in with their personal details and their consent. And then that would get stored somewhere physically inside business. And we had to manage that.

Ross Saunders (16:19)
Wow. Okay.

Brandin Chiu (16:24)
with our digital representation of these programs. So we had to figure out kind of how to make that work, how to sync those two things together like a filing cabinet in a room somewhere in Columbia with kind of a real-time running digital program. That was fun, fun italicized.

So there were a few things like that. That's definitely the one that stands out the most. Other ones that were trickier were some of the compliance requirements in the UAE. So we have a few customers in Dubai and they have requirements on when a marketing message can hit a customer's inbox.

It's like we couldn't send marketing messages at late at night, for example. So with a 12 hour time zone change, that also adds some additional complexities. We had to make some adjustments to our platform to be able to support.

kind of when to send those things, because our system had never been designed to kind of have that kind of restriction before.

Ross Saunders (17:28)
Wow. So, mean, I'm curious to sort of move into a bit of the, these solutions that you're talking about. know, would there be kind of, was there an overarching strategy that you followed for putting in the solution? I know you mentioned you've got sort of the Fractional Legal Council and things like that, and you've had these different challenges.

How was it prioritized? How did you come up with presumably the program or system, can I call it, for building in these compliances as they come in?

Brandin Chiu (18:01)
They essentially ended up being treated as, like for all intents and purposes, ended up being treated as professional service mandates as part of our...

enterprise service contracts. So most of our accounts are quite large. They're some of the largest businesses in the regions. So lots of moving parts, lots of stakeholders, long decision making windows. So it would get bundled in with other requirements in order to close the account. So we tried to make the platform as generic as possible to be as flexible to meet the needs of the region.

and the customers were working with, every now and then we'd hit one of those walls of like this thing we've never seen before, never thought about it before, had no idea it would be an issue, and we'd have to find a way to make that work while doing other things to get the account working such as...

setting up their loyalty program, training. In some cases we had to integrate with different third party partners. So we integrate with like 20 different payment gateways, a few different messaging providers around SMS, email, etc. to take advantage of different rate schemes and things like that. So it would end up getting fit in with those things as part of the account close.

Ross Saunders (19:14)
Okay. That's a good way of doing it. think kind of bringing that in, you know, maybe I'm, I'm not trying to see in my mind how it all fits together. When you've got that professional services component, does that, I think what I'm wanting to ask is, you know, was it more a case of building configuration into the platform or was it

customizing the platform for that region and it stays there. Like, do you keep the features across and you kind of build up this configuration matrix that can also get very wild and large and unnecessary in other regions? How did you, how does that come together if that makes sense?

Brandin Chiu (19:55)
Yeah, so mostly, yes, there is a ton of configuration sprawl. The good of that is that it allows us to at least continue to sell the platform as if it is a generic tool that anyone can make use of. If we ever find a use case that matches a configuration that we added for somewhere else, we have some things we can build from. The bad of that is that it means configuring the platform is like the Rorschach test of

crazy levels of documentation and institutional knowledge that we still get wrong to this day. have across all of the different spectrums that we need to configure, we have over 800 different configuration flags that can all interact with each other in varying ways. So we've run into a number of cases where turning on flag A and flag B works, but turning on flag A

and flag D doesn't, and it does not work in catastrophic ways. And.

Those are the kinds of things that we've had to live with on the technical side of things that we're really looking to address as soon as possible because it is becoming a bit unwieldy. There are a few cases where we just build something directly for one particular client. We try to do that as rarely as possible, but every now and then it makes sense. One of the ones that I mentioned was different messaging providers.

Ross Saunders (21:04)
Hmm.

Brandin Chiu (21:23)
with

one of our clients SMS partners in particular because they had a very attractive SMS rate for a region we didn't otherwise have an integration with. And at the time we had also decided that we weren't going to continue to pursue that region. So it didn't make any sense for us to build a more generic integration for SMS. We just said, sure, we'll build in some hooks for just your

Ross Saunders (21:44)
Hmm.

Brandin Chiu (21:53)
account to use your provider. We're going to hard code the integration points and your account ID is going to be in an if statement somewhere in the monolith and we're all going to pretend it's not there. There's going to be a to-do with a cleanup that no one's ever going to fix but it works and it's only ever going to need to work that way forever so we'll all just...

Ross Saunders (22:10)
the

Taking you back a few steps into what you were discussing there, something that sprung up in my mind, just talking about those 800 flags and things like that, and you've got these configurations that you might see again in another region. Have you had any serendipitous moments where it's like, hey, we actually have already got that built in and we can deploy that straight away? Have you had any of those?

Brandin Chiu (22:39)
Yes.

So one of the things when we launched in Ecuador first in 2016, one of the very first things we had to do was integrate with their national ID they call a Sedula. It is for all intents and purposes the same thing as like a social insurance number, but it's designed to be public, which means you can't use it for some of the things that we use social insurance numbers for. So. ⁓

There's a digital registry that kind of everyone could.

find someone else's, uh, schedule and it really wouldn't be the end of the world. Uh, whereas, you know, here someone gets their SIN numbers and they're opening mortgages and credit cards and your life's ruined. Uh, so we had to integrate with that, uh, and some form or another of that kind of system exists in several different, uh, Latin American countries that we didn't know at the time. Uh, and that was nice. So we did this one thing for Ecuador and we started expanding and like, oh, yes, we can support that. Uh, that was one of the things that actually helped us.

expand

really quickly into Latin America because when you know a Colombian business or a Peruvian business is asking this Canadian startup if they support this very specific thing to their nation and we can say yes without kind of having to go back and think about it, it's really nice as far as like a sales motion goes for building really early rapport.

Ross Saunders (24:03)
On that topic of, talking about sales. Do you find that having privacy features and that compliance features around sort of email consent and consumer consent, things like that. Does that fall into your sales pitches in these regions? Is it something that you, you market on or is that something perhaps that the region's maybe not mature enough for? I have seen it like I see in California, like

marketing towards CCPA is a big thing and in Europe GDPR is a big thing and a lot of companies take it as like a marketing springboard. Do you find that at all?

Brandin Chiu (24:36)
I don't spend a lot of time in sales directly. haven't heard anything. I could be mistaken, but I haven't heard anyone from our sales team really like coming out and saying, we need to really focus on this. The one place where I will say that I have noticed that it matters is in some of our, the very, very top end of our accounts, in particular accounts that are licensing American brand names. So we have several master franchisees in Latin America that are from larger US.

Ross Saunders (24:58)
Hmm.

Brandin Chiu (25:04)
brands who impose requirements down because of brand reputational risk. So those accounts will care so much that it's a checkbox that absolutely needs to be met that

the companies or vendors you're working for have privacy controls. They will protect our data so that I'm not going to find out. I'm not going to see my brand on the news in Ecuador exposing a bunch of customer data. So for those accounts, it definitely has mattered and it'll show up in RFPs and other.

Ross Saunders (25:29)
Yeah.

Brandin Chiu (25:40)
sales documents. But for some of the larger, like only based in those Latin American regions, I haven't seen it as much.

Ross Saunders (25:48)
Okay. And how do you find like the dev teams buy into privacy and privacy features? Like does it come up in conversation? Does it make its way from RFPs into dev? Cause sometimes it doesn't happen that way either. What's kind of the maturity and the feel like in the dev team for that?

Brandin Chiu (26:06)
matters a lot for us. We treat it the same way we treat security requirements, so it comes up in those same conversations. Most of that is is talked down from me around managing risk, risk to our brand reputation, risk to financial penalties and things like that. Be the same risk as if our, you know, our.

Ross Saunders (26:11)
That's great.

Brandin Chiu (26:28)
database password was password 123. It's it's something that everyone has kind of been trained to care about. And I like to think that everyone on our team cares deeply around the end customer and no one's really looking to go out of their way to have them have a bad time. So protecting them is really a win win win for everyone.

Ross Saunders (26:43)
Yeah.

Yeah, that's great. I love hearing, like privacy being taken care of in the same vein as security. It's one of the things I recommend to my clients as well. You know, don't just have it as just, this is a feature request or a bug or something like that. Like bring it in the same vein as, as security. and the, the, ⁓ intensity of that, is great to hear. ⁓ and great to hear like the team, like there's training provided and stuff like that. That's.

That is what you want. ⁓ so like, that's kind of hit on where you are currently now, as a company and as a team and, know, how you mentioned earlier, like there's a good 95 % compliance rate and I, you know, I don't think there is ever such a thing as a hundred percent compliance. I think it's, it's completely impossible. Cause there's the second you have a change in process or something, your compliance changes.

I think it's kind of a spectrum that you're on. Where do you say you're sitting now? How comfortable are you with your programs? What's still on the roadmap? What's coming? Where are you now?

Brandin Chiu (27:49)
Yeah, compliance being a moving target definitely impacts kind of where we feel comfortable. We try not to pretend that we're 100 % compatible. We try certainly not to sell to our clients that we're 100 % compatible or compliant.

The areas where we're making a specific focus around compliance right now are on SOC 2. The good news about SOC 2 is that it does filter down to a bunch of other systems and it's been popularized enough that kind of our merchants know it and see it. The other benefit for us that we've seen on going through some of the SOC 2 process, which we're still early in, is that it does help institutionalize just good practices throughout the business and throughout the different teams.

Lastly, that, some of those largest accounts in particular, some of those US brands ⁓ are asking for it now. We've continued to move further and further up market. There are a few that are starting to say that this is a requirement in order to bid for this proposal. We need to know that you are compliant. We need you to be type two compliant so we can download your...

Ross Saunders (28:40)
Mm.

Brandin Chiu (28:54)
station every year and get your SOC 2 report. So we're going through those processes now. We found the merchants we're working with so far have been really good around kind of a letter of intent being a good enough signal to start closing some of those conversations and we're working through as we work through that process in the background and we have target dates for that for I think the end of by the end of Q2 of 2026 to be kind of done with that.

Ross Saunders (29:23)
Yeah, that's great. And I do enjoy that kind of, you say, that SOC 2 filters down to a lot of things. And there's a lot of things that you become aware of doing those compliance exercises. And I like the different TSCs that you have in SOC and some more complicated than others, but like even just having that default security one is fantastic because of the controls you have to put in place. it really brings up that maturity a bit as well.

If you had to think of your journey that you've had so far in all of this, what would you say was perhaps something that was underrated that you should have, that surprised you and you needed to put more effort in there? And what would you say is maybe something that was overrated and you put a lot of effort into something that maybe wasn't as much of a concern.

Brandin Chiu (30:13)
Yeah, starting with underrated, the thing that definitely stood out is this kind of false assumption that most people don't care about privacy. They're not.

thinking about it, that it isn't something that's on their mind. We have a measurable increase in customers that are making requests to either download their history, delete their accounts, remove themselves from programs. And that number keeps going up every year. So like those, the idea like I'm going to build these features that no one's ever going to use them just because a piece of paper or a piece of legislation says I need to have them. There are...

Ross Saunders (30:40)
Yeah. Yeah.

Brandin Chiu (30:51)
There are people that care, there's enough people that care that not having that will become a problem for you. that one, so like that one for me, even I would not have made that assumption. I'm a relatively privacy focused person. I'm not super aggressive about it, but there are certain things that I don't want, certain things I don't want to have access to my data, but there are other things that I don't really care that much.

Ross Saunders (30:58)
Yeah, I feel that.

Brandin Chiu (31:16)
So I was definitely in that camp of, don't think people are really going to do this. I was very wrong. So on the other rated side, that one for sure. ⁓ On the overrated, just the concern that compliance will slow down progress or block progress. As I've mentioned, at least in the jurisdictions we've operated in, we've operated in a lot of them. Most of them have been very friendly.

Ross Saunders (31:36)
Hmm.

Brandin Chiu (31:44)
There really isn't anyone who's walking up to our front door and be like, stop everything you're doing. You can't be here until you do this, this, this, and this. Or locking down your bank accounts, killing all your accounts. Everyone that we've worked with has been really, really good in helping us guide us through the process, us prioritize which areas of compliance matter and what order to do them in.

So it's never been a blocker for us, or least a long-term blocker for us, to kind of head down that road of compliance. We have not done GDPR yet. We haven't finished GDPR. We know there are sections of GDPR we are already complying to because we're compliant already for other regions. But we have not engaged with the EU on that just yet. We are probably not big enough for them to care.

Ross Saunders (32:11)
That's great.

Brandin Chiu (32:35)
And that really is one of the things to just really harp on is that, again, as long as your name isn't Meta or Google, for the most part, you're going to fly under the radar unless you're doing something blatantly problematic to the point that end consumers are complaining to someone else.

Ross Saunders (32:50)
Yeah. And I think, you know, if we look at the, the, the spirit of a lot of privacy laws, um, you know, I, I like to think of myself as a bit of a realist in the privacy space. There's a lot of privacy folks, think, particularly in the EU who can be very heavy handed and, and, um, overzealous, suppose. Um, but I mean, if you look at the, spirit of privacy laws, uh, even across regions, you've got likely a good 70 % overlap.

of your compliance exercises in different areas. And it's, I think good where we see like the NIST privacy framework that's coming out now, which is completely agnostic, but covers a lot of the things you would need. And I think you're right. If you've got a lot of the compliance in place in other regions, you are going to be complying with a lot of what you need to already, which I think is good. On what you were saying there about the underrated and overrated, think, you know,

What you were mentioning about the regulators is a really good thing and I've seen it when I've interacted with the odd regulator That they are there to like their primary function is to help you comply not to penalize you and When I've had to deal with regulators, they've been very friendly and forthcoming and like oh, yeah This is what you can do. This is what you can't do or they might be like, okay You have to go to a lawyer for an opinion on this. We can't give you an opinion on that But they've been very very helpful

particularly the folks that I've dealt with in Canada, I've dealt with some of the South African regulator folks. It's very good. And as far as those data subject access requests go, yes, I was working with a client and they didn't have contact details on their privacy notice yet. So we put that in for them. And what started as one or two DSARS in the first month became three in the next month, six in the month after that, 12 the month after that. And just this month on month doubling.

basically of these access requests that came through. And I was also surprised that so many people are bringing up these access requests and deletion requests. So very important to be able to address those.

Brandin Chiu (34:54)
Yeah, we've definitely found a...

a stark contrast between kind of the militant rhetoric of like the politician around this versus, you know, the poor bastard sitting in a chair who's actually in an office building who's actually responsible for implementing these rules. And it's much cheaper for them to have a conversation with you and tell you what you need to do than it's like go through an audit process and put boots on the ground and start harassing you over this. Really, none of them

Ross Saunders (35:10)
you

Brandin Chiu (35:25)
want to do that. They're all, you know, burnt out. They don't have enough staff to do this. So they if they can get kind of everyone on board and everyone if everyone's acting in good faith, I've had nothing but good good interactions with the regulator bodies.

Ross Saunders (35:41)
That's

great. So as we come up to a little bit of a wrap up, think, you know, I think what I want to find out is, is there anything else you want to leave listeners with CTOs with around privacy? Something that you've learned along the way that that's really something you would want to communicate with other CTOs? What would it be?

Brandin Chiu (36:01)
This is a really good question that I've I've really struggled to think about leading up to our actual conversation. Cause I, you know, looking back at what I've, what I've gone through in these last, this last decade, a lot of these lessons are really hard to teach people. And some of them just really need to be learned painfully. You know, your, your hindsight is always 20, 20 and

Ross Saunders (36:19)
Hmm.

Brandin Chiu (36:28)
It's hard to prepare people for things they're not looking to be prepared for. So the best I could come up with is don't be so pessimistic about compliance, security, privacy, that you don't do anything and that the pain at the end of that decision kills your company.

But don't be so open that progress stops and your platform becomes a compliance software instead of a value delivering vehicle for your customers. The nature of where that balance is, is going to change depending on your vertical, your business, your customer. But it's always going to be closer to the middle than closer to one of the poles.

Ross Saunders (37:14)
Yeah, absolutely. think that is very sound and advice for folks. And something I would absolutely echo, know, privacy, the blessing and the curse of privacy is that you get to define what you are doing as far as your program is concerned. You don't get handed a checklist saying you must have X, Y, and Z. There's obligations, but it's not a checklist. And it's up to you to kind of right size that for you and get that in for your business.

think that's great advice. Brandin I want to thank you for joining for this. This has been a great conversation. I think we've covered some great ground here, and I really appreciate hearing what you guys have done. This has been fantastic to chat to you.

Brandin Chiu (37:59)
Likewise, happy to be here, it great chat. I always love having these kinds of conversations and compliance and privacy isn't always sexy, but it is interesting, especially around the practical implications of what it is to actually do this as opposed to rumourate about it and think about it as a thought experiment.

Ross Saunders (38:09)
Yeah, that it is.

Yeah, and there are definitely challenges to the practical implementation and that's why we're here. So ⁓ folks, thank you for listening to Technically Compliant. There will be details about the show in the show notes and a link to Spoonity. You can see what they're doing. If this episode made you realize you should probably check on something, then you're welcome. If you need help identifying where you can have some quick wins or to put in a great privacy program, that's

that is right-sized for you like we were discussing, reach out to me, set up a discovery call, I can have a chat with you. Alternatively, on my website, there is a free SDLC assessment where you can assess where you are with privacy in your team. And that comes with a free no obligation consultation at the end of it as well. So give that a shot, see what you get, and we can have a discussion about your risk. And to keep listening to the podcast, subscribe wherever you get your podcasts. And remember, we're all

technically compliant until someone asks us for proof. Until next time, cheerio.