Why Small Business Owners Can’t Afford to Ignore Data Privacy with Guest Jarell Oshodi, Esq.

Transcription: 

Dayna Thomas:
Hi, everyone. I am Dayna Thomas, Esquire and welcome to Launched and Legal, where it’s my mission to help you strategize, legalize, and monetize your business. I’m so excited that you’re watching because today and in every show, I’ll be sharing the best practices and tips to take your business and brand to the next level.

Dayna Thomas:
Today, we’re going to dive into data privacy. I know for a fact that many entrepreneurs do not even think about or even consider data privacy compliance for their business. Sometimes we may think that because we’re a small business, then data privacy does not apply to us. Well, today, our guest is Attorney Jarell Oshodi, the founder of the Law Office of Jarell Oshodi, LLC, a law firm dedicated to protecting her clients data and legacies through privacy compliance and estate planning. Jarell is going to teach us some of what we need to know about data privacy and keeping your business compliant with privacy laws and regulations.

Dayna Thomas:
Hey, Jarell.

Jarell Oshodi:
Hi.

Dayna Thomas:
I am so happy to have you today.

Jarell Oshodi:
I’m happy to be here.

Dayna Thomas:
So awesome. So I’m an attorney as well, and I do practice business law. But when it comes to the privacy, the extent of my expertise, which I am very transparent about, is privacy policies, which we’re going to get into. But I’m so excited that you’re here today because we’re going to dive a little bit deeper…

Jarell Oshodi:
Yes.

Dayna Thomas:
… into privacy. So feel free to share.

Jarell Oshodi:
Okay.

Dayna Thomas:
So how did you even get into data privacy compliance? Because I can’t imagine in law school that you said I want to go into privacy law. So how did this come about?

Jarell Oshodi:
So actually, I started in the federal government as a federal attorney and I wanted to get to DC. I saw a job that looked really interesting. I applied and my supervisor, she assured me that I had all the transferable skills. It was actually in FOIA, Freedom of Information Act.

Jarell Oshodi:
But with information governance, it paralleled privacy and FOIA, I over to privacy because, although FOIA was a government, mostly government, regarding government records, privacy was versatile and I wanted to be more marketable. So that’s actually how I got into privacy.

Dayna Thomas:
So it was a law school dream.

Jarell Oshodi:
No, not at all. Not at all. I studied, I researched, I learned all that I needed to know regarding the certified information, privacy professional, and a certified information privacy management certifications.

Dayna Thomas:
Wow.

Jarell Oshodi:
And here I am.

Dayna Thomas:
That is so fantastic. So tell us exactly what is data privacy compliance and why is it important for entrepreneurs?

Jarell Oshodi:
I know many people are familiar with privacy laws like HIPAA, that’s regarding their medical records or their personal health information. Consumers have privacy laws to protect them as well. And so businesses, it’s important for them to follow laws like GDPR, if they have consumers in Europe, or CCPA, if they have California residents, but also we have the FTC that just makes sure that organizations and don’t follow any deceptive practices.

Jarell Oshodi:
And so in privacy compliance, it’s all about training your employees, making sure they’re protecting data. It’s all about making sure you have the proper privacy and security controls in place like privacy policies, making sure that you’re protecting data that’s sensitive. Also making sure that you’re reducing the risk involved with collecting all of this data. Because I know nowadays, everyone wants to grow their email lists and market and all these things. But privacy compliance is important because you want to make sure there’s consent.

Dayna Thomas:
That’s right.

Jarell Oshodi:
You want to make sure that you are getting fresh consent every time you want to use that data for a new purpose. Things like that. That’s why it’s important because most importantly, you don’t want to get fined if you violate these privacy laws.

Dayna Thomas:
And these are things that we don’t normally think about and think it doesn’t apply to us, but it definitely does.

Jarell Oshodi:
Yes.

Dayna Thomas:
So are these privacy laws, do they vary by states or is it pretty consistent across state lines?

Jarell Oshodi:
It is not consistent at all. Some states don’t have privacy laws, some states do. Like California recently, they have a privacy law. Virginia is new with their privacy law. In the US, we don’t have a federal privacy law like there is in Europe and Canada and other countries. We have sectors usually. So there’s, like we said, HIPAA, just different areas. If you are collecting data regarding children under 13, that’s COPPA applies, things like that. If you are dealing with email marketing, the Can Spam Act may apply. Just different sectors have different privacy laws to protect data in those instances.

Dayna Thomas:
Okay. What about Georgia? Does Georgia have a privacy law?

Jarell Oshodi:
Georgia does not have a privacy law, but Georgia, and just like most states, they do have rules regarding when to report data breaches and things like that. But no privacy law yet.

Dayna Thomas:
Not yet. Be in the works. All right. So many businesses think that just because you have a privacy policy on the footer of your website or wherever it may be, then that’s sufficient to be in compliance. So is that true? And if not, what are these businesses overlooking?

Jarell Oshodi:
No, I’d say that’s absolutely not true. If you’re collecting personal information from your consumers or your clients, it’s important that you have more than a privacy policy. It’s important that you are taking inventory or actually creating a data inventory, determining what personal information you’re collecting. And this isn’t something that is just, it’s generally a case by case scenario. So depending on the type of data you’re collecting that determines what type of privacy controls you need.

Dayna Thomas:
I see.

Jarell Oshodi:
And when I say privacy controls, it sounds so technical. It’s not. A privacy control can be an administrative control, like a privacy policy.

Dayna Thomas:
Okay.

Jarell Oshodi:
Training. That’s something, I think, that’s overlooked that people and businesses don’t invest in because most breaches are caused by human error. So if we are training-

Dayna Thomas:
We’re thinking hacks.

Jarell Oshodi:
Yes. Yes. If we need to train ourselves, especially as solopreneurs. But if you have a small business with employees, you need to invest in training your employees, at least on an annual basis, Things like that. But I would say training is very important and also have a data breach response plan.

Dayna Thomas:
Wow.

Jarell Oshodi:
If there is a breach, what are you going to do?

Dayna Thomas:
That’s right.

Jarell Oshodi:
In addition to having a data breach response plan is one thing to have some written down. But there’s a thing called tabletop exercises that we do. It’s like the fire drill.

Dayna Thomas:
What if something happens? What do we do?

Jarell Oshodi:
If something happens, we get all of the integral people in the room and we discuss, okay, this is the hypothetical. Who’s on? What’s next? We discuss it. And then we have an inject. Oh, it just made the news. Now what? Who do we reach out to? What happens next? And you-

Dayna Thomas:
Media get control too.

Jarell Oshodi:
Yes. And you identify those gaps. And there’s always gaps. There’s always room for improvement. Your data breach response plan should be a living document, things like that. Training, data breach response, privacy policy and procedures.

Jarell Oshodi:
Maybe you collect sensitive information. Social security numbers. You may want to just do a risk assessment to determine, do we need to collect this type of data?

Dayna Thomas:
Yeah. Where are we storing it?

Jarell Oshodi:
And because this is sensitive data, maybe we need higher privacy controls. Maybe we need certain types of encryption and other technical things I don’t want to get into.

Dayna Thomas:
No, that’s fine.

Jarell Oshodi:
But I’m sure you all notice now when you’re trying to log in, there’s multifactor authentication. You’re logging on your laptop.

Dayna Thomas:
The bridge, click on the bridge, the traffic light.

Jarell Oshodi:
You want to log into your laptop and then you may have to confirm it on your cell phone. And just confirming that you are who you say you are.

Dayna Thomas:
Yeah. Some people get annoyed with that.

Jarell Oshodi:
Exactly.

Dayna Thomas:
But I like it. I actually like it. It just proves that it’s a little bit more safe. So I don’t mind and jumping through those hoops to make sure that it’s actually me logging in.

Jarell Oshodi:
Yeah. Because privacy compliance is all about individual rights to privacy. And what other countries have that is slowly but surely… I keep saying California, because it’s the first major state CCPA, but data subject rights. We have these rights now. We have rights to access our data. We have the right to be deleted or what they call the right to be forgotten now. The right to correct the data in these databases.

Dayna Thomas:
Unsubscribe. You have to unsubscribe me if I make a request.

Jarell Oshodi:
Exactly. So even though you may be a small business, you want to put those measures in place now so when you do grow, when you do become that seven figure, eight figure business, you don’t have to work backwards. You don’t have to pay more money to make sure you’re compliant. And you don’t want the risk of these fines.

Dayna Thomas:
Absolutely.

Jarell Oshodi:
And most importantly, your customers are your biggest asset. You want that customer trust,

Dayna Thomas:
Right. To feel safe.

Jarell Oshodi:
Exactly. You want them to know that you trust their data, you’re doing what you need to do to protect it because that’s what’s making your business lucrative.

Dayna Thomas:
Very true. And you mentioned risk. So are there certain types of businesses that are more at risk when it comes to data privacy versus other types of businesses?

Jarell Oshodi:
Absolutely.

Dayna Thomas:
Okay.

Jarell Oshodi:
Absolutely. And I feel like I keep repeating myself.

Dayna Thomas:
No, listen, we want to hear it over and over again so that it can stick to us.

Jarell Oshodi:
So it’s all about the initial risk assessment and identifying what type of personal information you’re collecting. But if you’re collecting sensitive, personal information, your social security number, driver’s license, financial data, you’re putting your clients… That’s at a higher harm. That’s a harm that can be long lasting. So you want to make sure you’re consulting with your security and your privacy professionals to make sure you’re protecting it properly. Or as we say in the legal field, reasonably.

Dayna Thomas:
That’s right.

Jarell Oshodi:
So reasonable can vary depending on the type of data you’re collecting.

Dayna Thomas:
Expectations, things like that.

Jarell Oshodi:
Exactly.

Dayna Thomas:
Okay. So it’s not necessarily the type of business, but whether it’s in your business operation to collect certain types of information, social security numbers, driver’s license, maybe pictures of that person, addresses, credit card information. All of that.

Jarell Oshodi:
Exactly. Exactly.

Dayna Thomas:
There’s a lot. It’s in the cyber space. Okay. So tell us, so when a client comes to you and they would like to have data compliance and they have nothing in place, maybe they have a website, they take payments online, but they have nothing, not even a privacy policy. What are the steps that you would recommend for them or that you work with them on to get them to being in compliance?

Jarell Oshodi:
We will start with a privacy health check. At least that’s what I call it. We start from the beginning and we determine what are you collecting? And we go through the data life cycle. You collect the data, you process the data, you store the data and you may share the data and then you destroy the data. So at each one of these points in the cycle, are you doing what you need to do, best practices, to protect this customer, this client’s data? And starting with the collection, we try to minimize the amount of data that we’re collecting or the amount of personal information that we’re collecting. We may see that a client is collecting these driver’s license or credit card numbers, but maybe you don’t need it as long. What’s your retention policy? We may need to establish one. Because you have the risk for no reason.

Jarell Oshodi:
What is it benefiting you? We may see that you’re storing email addresses. You’ve already delivered your product. So why do you need it? And most of them say, “Oh, I want to reach out to them for email marketing.” Did they consent to that? Is that in your privacy policy? As a matter of fact, when was the last time your privacy policy was updated? Because it should be update every year. And many times I recognize where they say, “Oh, I’m not sharing data.” But there’s Google analytics and all of these other apps that you are sharing data with. Is that in your privacy policy?

Dayna Thomas:
Third party services.

Jarell Oshodi:
Exactly. So things like that, we start with identifying the data, who you’re sharing it with, who owns the data, how long you’re going to maintain it, and is it worth the risk.

Dayna Thomas:
Wow. That’s a good assessment. So normally, I would think that’s not in your initial consultation, but I guess you start the conversation there?

Jarell Oshodi:
Yes. We start and lead into it.

Dayna Thomas:
Okay. Well, that’s good information. So if an entrepreneur comes to you and they say, “Hey,” or maybe they, you know our conversation today, but they’re thinking, “You know what? I just started my business. I’m not making that much money yet.” What would you say to them to get them to start thinking about privacy compliance?

Jarell Oshodi:
I would say that in today’s age, the digital age, consumer trust is key. You want that competitive differentiator. You want to comply with laws. And as these privacy laws, as you see, they’re moving from state to state, to state. Once it gets to Georgia, or once we have a federal law, you want to be ahead of the curve.

Jarell Oshodi:
You know what I mean? Also, you don’t want the risk of not being able to partner with other companies who are requiring privacy policies, who are requiring data breach response plans and proper data protection clauses in your vendor agreements. You want to be as easy as possible to work with. You don’t want to be considered a risk, a high risk business.

Dayna Thomas:
That’s true. It’ll be hard for people who want to collaborate with you, like you said. There’s a lot of things that I can reference in other areas of law that we talk about to make sure you have the solid foundations so that when these opportunities do come to you do have your data privacy compliance in order and different things. So that it’s a less of a risk for potential partners, collaborators, investors, whatever else it may be.

Jarell Oshodi:
Exactly.

Dayna Thomas:
That’s a good point. And then, you mentioned about your privacy policy updating it at least every year. How often should entrepreneurs do like the overall privacy health check?

Jarell Oshodi:
Definitely annually. You want to do your annually annual check, but then if you decide to collect more data or use data for a different purpose, it needs to be updated as well. Your privacy policies needs to be updated and you need to get, what they call fresh consent, things like that. So annually as you continue your normal practice, because these laws are constantly changing and being updated. But also intermittently if there’s a material change in your practice or in the way you do business or in the time type of data you’re collecting, especially if it’s sensitive data.

Dayna Thomas:
Absolutely.

Jarell Oshodi:
Or if you are marketing to children or kids under 13.

Dayna Thomas:
Yes. So I know that for a fact, because I work with some children that are influencers. And so that relates to some privacy in terms of who they are directing their content too, and things like that.

Jarell Oshodi:
COPPA.

Dayna Thomas:
Yes.

Jarell Oshodi:
COPPA. You need the parental consent-

Dayna Thomas:
Absolutely.

Jarell Oshodi:
… as well.

Dayna Thomas:
There’s so much that goes into it. And I can only imagine that these laws are going to expand and more states are going to implement these laws because it is the age of technology. The internet is where it’s at. It’s easy for there to be breaches, for there to be hacks. And the government has to do something to protect us.

Jarell Oshodi:
Most definitely.

Dayna Thomas:
So the way that they do it is laws and regulation.

Jarell Oshodi:
Most definitely.

Dayna Thomas:
So thank you so much for your time. Tell us how we can reach out to you. If anyone wants to speak or consult with you about data privacy, how they can reach you.

Jarell Oshodi:
Of course, if anyone wants to partner, if anyone would like privacy training, especially solopreneurs, or if you and have employees you want to make sure are abreast of the data privacy best practices, you can reach out to me at yourCPO.com.

Dayna Thomas:
I love that.

Jarell Oshodi:
You can get more content regarding data privacy best practices, on Instagram at @YourCPO, and feel free to connect with me on LinkedIn network. You know what I mean? Let’s just build, promote and spread the news.

Dayna Thomas:
That’s awesome. We are going to get this data privacy information out to the masses and to entrepreneurs, so they are protected all around. Awesome. Thank you so much for being here today.

Jarell Oshodi:
Of course. Thank you for having me.

Dayna Thomas:
All right. Well, I hope today’s show helped to educate and inspire you as you pursue your business goals. Be sure to share today’s show with someone who can benefit and visit myasbn.com and subscribe. If you have any questions or comments about today’s show, I would love to hear from you, send me a message or comments on Instagram @daynathomaslaw. Remember to tune in next week and every week to make sure your business is launched and legal.