Episode 17

Navigating the global evolution of privacy legislation with Wanne Pemmelaar

If you’re a global business—which is increasingly the case for most businesses—then the proliferation of data privacy and records laws should be a growing concern. How do you keep them all straight, so you can ensure compliance?

Filerskeepers co-founder Wanne Pemmelaar joins Anthony to discuss the complex evolution of privacy legislation across the globe, and why companies focused on easy wins are missing essential records management tasks. Wanne also shares his theory that customer data deletion is the ultimate way to demonstrate trustworthiness.

They also discuss:

  • How organizations are bringing records management, privacy, data governance roles closer together.
  • How companies are responding to new privacy legislation by ticking off easy wins, but often neglecting the essential records management aspect.
  • How Filerskeepers addresses the growth in privacy legislation across the globe.
  • The complex evolution of state privacy laws in the United States
  • The post-GDPR evolution of privacy and data regulation in Europe
  • Why data deletion and records deletion is the ultimate way to show your customers you are trustworthy

Resources

Transcript

Anthony Woodward  

Welcome to FILED a monthly conversation with those of the convergence of data, privacy, data, security, data, regulations, records, and governance. I'm Anthony Woodward, the CEO of RecordPoint, and today I'm joined by Wanne Pammelaar, who's the CEO and co-founder of filerskeepers. How are you, Wanne?

Wanne Pammelaar I'm fine.Thanks for having me. Absolutely. And what part of the world are you joining us from today? The Netherlands. So, it's actually 9 p.m. here. I'm often working from. early European time zone to late American time zone. So, that's it.  

Anthony Woodward  

Thank you for jumping on. I'm sitting in Seattle. So, uh, it's perfect. Uh, 12.01 PM here and a lovely day outside, uh, for Seattle, in fact.

Anthony Woodward  

We've been talking a whole bunch, and in fact, we both just come off a bunch of different conferences that we happen to spend some time together at. There's been a lot of conversation going on. What do you see that's really happening in that landscape? Reflecting back on those conferences and the conversations, what’re the big topics that customers and stakeholders are talking to you about?

Wanne Pammelaar  

So, everybody, of course, is talking about AI. That's kind of like the hot and happening new thing. What I find very interesting is that I've seen many, many customers who just want to flip the switch on their copilots in Microsoft and just see the magic happen, basically. And then I always wonder, yeah, but how about the basics?

Wanne Pammelaar  

How's your privacy posture? How's your data security? How's your records management? Aren't you just holding on to a whole lot of records and data, and maybe in a few months, you'll be confronted with a big mess. I was very pleased to learn that there were during those conferences, there were definitely a few sensible companies that said, you know what, let's hold off on the copilot thing.

Wanne Pammelaar  

Let's clean up our team sides and our SharePoints and everything, and let's then turn it on because that will be way more powerful. So, that's something that I noticed. And what I found interesting, especially in the records management conferences was that more and more it's about privacy, which I think is, is very interesting because privacy is kind of changing the records management landscape.

Wanne Pammelaar  

I think for the better, to be honest, we're going from just archiving to balancing risks and adhering to laws from a minimum perspective, but also from a maximum perspective. You need to let go of your records at one point. Yeah.  

Anthony Woodward  

No, great. And one of the things I heard a lot about as well was people looking at this convergence.

Anthony Woodward  

So, what were previously viewed as kind of there was records and that was a discipline as privacy. And that was a discipline. There was data and there was that was a discipline. Uh, you know, what AI, but I think also other trends in the industry is causing us to do is to really look at the convergence of these things, not necessarily as a single entity, but certainly as a very closely related interrelated set of disciplines.

Anthony Woodward  

Did you observe that at all?  

Wanne Pammelaar  

Yeah, so I think the trend is now, hey, let's try to bring together our data governance, our privacy, our data security, and our records management teams together in one organization. That's very forward thinking, by the way. Yeah, so in practice, we don't really see it, but that often, yeah.

Wanne Pammelaar  

But what I find also very interesting is in kind of like the Commonwealth and the US, there is a discipline of records management. There's almost no such thing in Europe. No, you have privacy teams, data security teams, and then people go like, where's our records management expert, by the way, and that nowadays lands on the desk of privacy and maybe even more so on whomever just touches the topic, basically gets it thrown in their lap.

Wanne Pammelaar  

So, yes, we see convergence. We also see that, you know, in some regions there's a whole lot of catching up to do. And for example, what filerskeepers does basically is we read all the laws in the world, and then we take from their rules that tell companies how long they should store their records and data.

Wanne Pammelaar  

And then we help apply those rules to the records and data of our clients by building retention schedules, global retention schedules. And, and we can help make risk based decisions around that. You know, what's your most optimal retention period? If you have 50 countries to kind of manage, and it's just too overwhelming to implement 10, 000 different rules into your systems, but also how do you keep that up to date so we can send a ping when the law changes.

Wanne Pammelaar  

And by doing this, we attract organizations from everywhere in the world, basically, whether they're from Australia, Brazil, or, or us or Europe. And what we now see, for example, in. Countries where they have recently issued a new privacy law is that they are not interested in records management whatsoever.

Wanne Pammelaar  

They're just focusing on hitting kind of like ticking the boxes on the, on like, I need to get my role pass on records of processing activities in order. I need to do impact assessment. I need to have published privacy statement. But then two, three years later, that's where we see whole records management, you know, it's that one on tick box and we need to know.

Wanne Pammelaar  

So, for example, a lot of interest now from Brazil, which, you know, have been working on the, on their privacy, new privacy law for a while, basically.  

Anthony Woodward  

It's super interesting what you'll do there at filerskeepers. This notion of having a consolidated set of regulations that constantly maintained and people can access that and then look at the subsequent disposal schedules and how they should treat that data.

Anthony Woodward  

You mentioned that you're doing that globally. Have you got every country in the world covered, you know, both from a privacy and a records lens or how, what's the scope?  

Wanne Pammelaar  

Basically, what we do is we read all the laws in a country or state, and we read them from A to Z, or from 2024, all the way back to the very first law that we can find that's still in force, and we've done that for all the countries in the world, national level.

Wanne Pammelaar  

And we have over a hundred states, uh, now in our database. So, think of everything in the US, Canada, Australia, but did you know that Brazil has 25 plus states and so does Nigeria and Switzerland. So, we're still catching up. We basically always, and this is how we did it over the past year, the past five years, we always go where the need is.

Wanne Pammelaar  

So, if our clients tell us, you know, you now need to do Switzerland, we will focus on Switzerland, basically.  

Anthony Woodward  

No, great. And what's the gamut of that? Is it focused on privacy and GDPR and those things, or is it really focused more on records retention? Like where do you sort of stop and finish?  

Wanne Pammelaar  

So, my co-founder and I both are global data protection lawyers.

Wanne Pammelaar  

So, we come originally from privacy. Yeah. And it was also what we were working at a top tier law firm here in the Netherlands. And one day a client came to us and said, hey, can you please let us know what the retention rules are in 78 countries? And we tried, we failed. We engaged 60 law firms, and they were completely stuck because this was taking up way more resources than they had hoped for.

Wanne Pammelaar  

You can ask law firms a lot of questions, but please don't ask them to read all the laws in their country in search of a few retention periods. So, we had to write off a whole lot of costs going over budget. So, that was the moment that we looked at each other and said, this needs to be a product, not a service, basically.

Wanne Pammelaar  

And that's, that's how we started. So, our basis is in privacy. So, naturally we look at guidance from privacy regulators. We look at the privacy laws that often are very unhelpful. It says usually no longer to keep this no longer than necessary for the purposes for which you have collected or processing the data.

Wanne Pammelaar  

But what we also noticed was it was basically all those other laws that actually contain minimum, maximum retention periods or statute of limitations that could be good inspiration. And this is where every single law may have a retention period. And why is that? Well, very often when a lawmaker makes new laws, say it's an environmental law, then they go like, okay, how do we make sure that organizations actually adhere to those laws?

Wanne Pammelaar  

Well, you know what, we'll just put in a minimum requirement to keep the records so that when we do an audit, at least, you know, we know for sure that there is something there to be checked basically. So, that's how this started. Now what the privacy laws do at the same time, so if you have a minimum requirement of say, you know, keep this record five years, privacy laws then say, keep it no longer than necessary.

Wanne Pammelaar  

So, that can be in accordance with the law, of course. That kind of makes every minimum almost a maximum. If personal data is, is involved, meaning you need to have a very good reason to kind of keep the records beyond the minimum retention period. So, this is something that kind of influences each other, basically.

Wanne Pammelaar  

So, we always jokingly say our database, of course, you should use it to kind of inform yourself on how long you need to keep certain records, but we also know thousands, hundreds of thousands of reasons why you are allowed to keep data. Yeah. Under privacy laws. So, because you have to basically, yeah,  

Anthony Woodward  

And that's super interesting, you know, we at RecordPoint think a lot about how you automate the application of those regulations to data. We don't obviously do the work that you do on the regulation side, but there's a lot of shift in people's expectations of how those regulations should be applied and some more modernization of legislation out there to think about, and even case law to think about how organizations should handle data and what are the processes, even pre-disposal. Are you seeing that, you know, as particularly as we think about the privacy implications, some of the changes that even happen in the CPRA requirements in California, you know, a year back, what are you seeing?

Anthony Woodward  

Those trends occur and the big kind of movements around that data management capability.  

Wanne Pammelaar  

Yeah, so you touched upon a few points here, which I'm kind of battling in my head where we'll start. Let's start with the last thing you said on the CPRA. So, let's just talk about how things are shifting in the US and in Canada, especially.

Wanne Pammelaar  

So, traditionally, the US and Canada are very light on privacy laws, basically CPRA has changed that. So, now you suddenly have a full-fledged GDPR-style privacy law at state level in California, the original CCPA just had a requirement that if someone was complaining about you keeping data, you would have to delete at a request the data, but then that was not enough.

Wanne Pammelaar  

And with the ballot initiative, when they voted in Biden, at the same time, there was a ballot initiative to kind of up the level of protection and in there that it became the CPRA and there it was the requirement to keep data no longer than necessary. And that's a huge shift. It was the first of its kind in the U.S. And there's more happening there, but let's start with how would you build a retention schedule before the CPRA kicked in? You would basically look at all the rules in all the states, and you would pick the longest minimum, because that makes sense. So, if there is a rule in Minnesota that says 10 years, and it happens to be the longest in the US, you would pick that to inspire the minor retention of whatever, let's say some technical factory records or something, and then suddenly now the CPRA comes in into effect and say, it says no longer than necessary. So, you cannot go to the Californian regulator and say, hey, there is this rule in Minnesota that tells me to keep something for 10 years. They will go, no, you have to adhere to the rules.

Wanne Pammelaar  

Californian privacy law that says three years, so you're going to keep it three years here. So, it's going to make it very complex in the US, if you get like this patchwork of privacy laws telling you to keep things no longer necessary, to know what to adhere to. The US—we at the moment—Filerskeepers has over 300,000 legal citations.

Wanne Pammelaar  

The US accounts for 100,000, so one third of those rules. Yeah, so it's going to be very, very complex. Now what we see is that the FTC has woken up to the notion of records retention. And what they basically say, and that they've issued several enforcement cases is, first of all, you have to have a retention schedule.

Wanne Pammelaar  

Yeah. So, you need to have a policy which determines how long you need to keep your retention, for your records. You need to be transparent about that policy. So, you need to even publish it online. You can't just say, oh, I'm keeping this no longer than necessary in accordance with the law. That's not specific enough.

Wanne Pammelaar  

You have to publish this, and they really believe that. And what is the basis for that? It's their section five of the FTC act, which basically is a provision against unfair trade practices. So, they start reading this whole privacy law now in their own section five of the FTC act, and they really mean it because they do have some kind of like policy making and lawmaking powers.

Wanne Pammelaar  

So, now, for instance, for the COPA, so the Child Online Protection Act, there are some regulations. They actually say we want the no longer than necessary requirement in there now. Yeah, so that would be the first federal US federal rule that would have that. So, long story short, no longer than necessary is creeping into the US law.

Wanne Pammelaar  

Similar trends are we can see in Canada.  

Anthony Woodward  

I'm from Australia. Brand new legislation coming into Australia, the Australian parliament. There's an exposure draft out that absolutely has that and pretty much echoes what we're seeing both in California and out of the FTC, but what's happening in the rest of the world that you're observing?

Wanne Pammelaar  

The rest of the world kind of goes further than the US yes. So, the US is still very consumer-oriented when it comes to their privacy protection. That's the fun thing that I see now in, in Canada, I've have, have very interesting conversations with Canadian partners and friends and clients where you see the shift from traditional consumer protection to more employee protection, and that's a real shift.

Wanne Pammelaar  

In, in mindset, basically. So, the rest of the world basically tends to adopt the GDPR style privacy law. So, they kind of use that as a blueprint, its omnibus applies to everyone consumers, employees, but also people working for a legal entity. Everybody deserves some degree of privacy. So, it has way broader application.

Wanne Pammelaar  

And I think what's now happening is that the train has left off and we're now creating all those add-ons for Digital Markets Act, Services Act, AI Act, Data Act, all these add-ons, and you quickly now see the onset on those rules. And maybe if I may, to touch on the AI Act in the EU, which was recently agreed on, it has not yet been officially published, it's adopted, but it hasn't been published, it will be in May or June.

Wanne Pammelaar  

It contains 25 records retention requirements, just to give you an idea. Yeah, so around transparency and conformity and all of that. And what could happen, yeah, is that you could be slapped with a GDPR fine, and then slapped with another AI Act fine, yeah, because there are two different laws, and they do.

Wanne Pammelaar  

Technically regulate something else. So, there's a whole lot of development there. So, I think that the rest of the world is. That's where it's headed. So, it will be these, I think you started with a privacy law and then you will start regulating the data market and the AI market.  

Anthony Woodward  

Absolutely. And do you see with that complexity, there's beginning to be some best practices around how to approach this?

Anthony Woodward  

Cause the reality of, I think, you know, and you and I have talked about this a little bit. There really is some commonality in those laws, and as you said, there's different maturities in different jurisdictions, but the, it is starting to come to a common point, and it's not actually all common around the GDPR principles.

Anthony Woodward  

There are some uber principles that come into use of data, and the AI Act is a great example of that in Europe. But we're seeing other regulation happen in South America and other Asian countries as well around the regulation of AI. How do you see all this coming together? Like, where's the, you know, for those that are listening or what should they be thinking about as kind of the end game and the criteria they should be constructing?

Wanne Pammelaar  

So, let's start by the fact that regulators and legislatures around the world that serious about these acts. Yeah. And every day, almost like I said, it came from privacy and I looked at the live stream when the GDPR was voted into law by the European Parliament in 2016, and it didn't matter who the speaker was, or what political party, or, yeah, there was one message they had for everyone in the world, and that was real compliance, and it kept coming.

Wanne Pammelaar  

Repeating it over and over and over, so they're really serious about real compliance. And let me tell you what I think is necessary to achieve real compliance. And then I can also tell you what the stress test would look like. Yeah. If confronted with a regulator, and then you can kind of judge for yourself where you think you stand.

Wanne Pammelaar  

So, first of all, we see that companies, when it comes to records retention, they have three problems. The first one is not knowing the law. Yeah. So, we can help with that. But the moment you do know the law, you get completely overwhelmed with a number of rules. And so, you have to make choices. That's the second problem.

Wanne Pammelaar  

How do you make choices when laws are conflicting? And the one law says keep this minimum five years and then, uh, sorry, maximum five years. And the next one says keep this minimum 50 years. You can't comply with everything at the same time. You have to deploy a risk-based approach. And then the moment you have major choices, how do you then implement that into a very complex IT landscape?

Wanne Pammelaar  

And I think you guys can talk way more about that, but our kind of like goal is to kind of connect the laws and the choices around the law to the systems. And to make sure that we connect to companies like record point to make sure that we make this real and we are actually managing the life cycle effectively and on the basis of real information and that you can rely on.

Wanne Pammelaar  

So, that, I think that last part is going to be a huge project. Yeah. Can you imagine you have to face all the challenges that, you know, those companies face cloud on premise, current legacy, structured, unstructured, proprietary third party, but also just traditional. Hard copy, digital rights, a lot of paper that we, that we keep everywhere.

Wanne Pammelaar  

So, we need to kind of overcome those challenges. And then as to my point, like what would a stress test look like? I've litigated the topic of data retention under EU privacy law. I've seen the red spots in the necks of the regulators and what we do. One time I had a situation where I was assisting a client, and they were a digital television provider.

Wanne Pammelaar  

And then the, there was a breach, came in the news, there was a privacy regulator that stepped in and did their investigation. So, they would do a downgrade, would come, and it would say, open up the application. And then they were, and so someone would just open the application. They were like, no, no, no, no, I don't want to see the front end, I want to see the database.

Wanne Pammelaar  

Then you have to open up the database, and it will go line by line, yeah? What's that data about? Why are you keeping this? Who has access to it? How long are you keeping this? Well, any company will fail at that, at that level, if you really look at that level of detail. Well, then with the question, how long are you keeping this?

Wanne Pammelaar  

Our client said, well, six months, which I thought was a pretty reasonable retention period. To be honest, it was around viewer data. Yeah. Of the television shows that they broadcast. And then the regulator asked why, and they said, well, because we can maybe expect some questions around our broadcast. And they were like, prove it.

Wanne Pammelaar  

So, then the client went back, did their due diligence. We were very nervous. We were given a timeline of two weeks and I think one and a half weeks later, they came back to us and said, we got one. We got one. Here's a lady that had a question about a certain program four months after the broadcast. And we took that back to the regulator and the regulator responded by saying, congratulations.

Wanne Pammelaar  

You have now built a case for a four month retention period. That is, you're going to be your new retention period. The moral of the story is you need to also invest in use cases. If your data matters to you, if your records matter to you and you are faced with a no longer than necessary scenario, and your data analyst would be without a job if you don't have the data.

Wanne Pammelaar  

Yeah. And you can get that order for deletion. Then. Invest in a case around necessity, try to prove your business need, say, I need this for 10 years because my product life cycle is 10 years, yeah. Prove that your product life cycle is 10 years. Then play devil's advocate, yeah. Say, what if we were to only keep it five years?

Wanne Pammelaar  

Yeah. So, you ask your business. What if we just say five years, you're no longer allowed to keep it longer than five years, then they would say something breaks. Okay, what would break? Can you show that to me? Can you prove it quantitatively? Yeah. Through statistics or qualitatively through an example. The moment you do that, you're not only proving the business need, but you're also proving necessity.

Wanne Pammelaar  

Yeah, because you're proving that something goes wrong. If you would keep it shorter.  

Anthony Woodward  

And I think it's worth saying right as you talk, not just those in the discipline here of privacy and records and, and that in those areas as executives and CEOs and boards really talk and, and I've been in these, some of these conversations I know you have as well around how data is the oil of business, right?

Anthony Woodward  

It's what makes the machine run. We need the data to do that. I use this analogy a lot with people really thinking about having a car that runs on with oil in the engine. You need to tune it up. You need to continue to replace it. You need to continue to think about how you can best treat that engine if it's, you know, been through hot weather or cold weather and all those kinds of variables.

Anthony Woodward  

The same applies here to data, right? In terms of the analogy, we draw for boards around thinking about how you're retaining that oil. What is the key oil that we're going to have in different parts of the engine? How do you treat that differently? And what are those processes? And where that really comes back?

Anthony Woodward  

I think you're very much as you just said that stress test is are we clogging the engine up? Are we doing things that are wrong for different stakeholders? Because we're not looking after those, those elements well. And I think that's very much the message that we're giving to people is it is now a whole system.

Anthony Woodward  

It's not just, there's a privacy stack, there's a bunch of people that run data, there's a bunch of people that think about records, these things converge. And they converge both, the regulation expectation is convergence, right? And I think that's where, you know, both us at RecordPoint and yourselves at filerskeepers really come together to explain that story very effectively.

Wanne Pammelaar  

Yeah, and I think it was the New Zealand Deputy Privacy Commissioner a few years ago that said data retention is the sleeping giant of data security or cyber security. So, yeah, everything is connected and if you don't have a whole lot of data. The breach is smaller once you get hacked. Yeah, so yes, I agree.

Wanne Pammelaar  

And I like the analogy with the oil and the motor. If you just have oil in a barrel, it does represent some value, but the moment you put it in a machine, that's when it really creates something. So, yeah, I believe very much, and this is also why those cybersecurity rules, those privacy rules, those AI rules are so incredibly important.

Wanne Pammelaar  

There's a Chinese cybersecurity authority. The CAC is the most powerful regulator in China now. Yeah. For various reasons. But what I believe is, okay, so there are no real IP rights in data. Yeah. If I could license you my, the use of my name, I would love to do that, but it's impossible. So, the mechanism that we used to have until like 20 years and maybe GDPR, okay.

Wanne Pammelaar  

Five years ago, six, there was no real meaningful mechanism to regulate data. Yeah. And then the GDPR came and now the AI comes here. So, those are the mechanisms that are actually regulating the new oil over industry. That's why, you know, when such an act is proposed or a bill is proposed in any parliament, it gets lobbied to death basically, almost.

Wanne Pammelaar  

In the EU, they literally had to lock themselves up in the building of the commission at one point and throw out all the lobbyists because they were not getting anywhere because in parliament, they submitted three and a half thousand amendments and in commission council, they'd like 350 or something.

Wanne Pammelaar  

So, the whole process was stuck. And that's why when you read those laws, AI, GDPR, it feels like a compromise. And that's true. So. Yes, everything comes together, and I like the way I think the, the lawmakers are seeing this and they're kind of like coordinating their efforts around cybersecurity, AI and privacy.

Wanne Pammelaar  

I see that the industry is seeing it. Yeah. I have, we see more integrated products and, you know, things that are useful for different teams to call and work together on. It's now, I think the industry that needs to kind of reorganize itself a little bit more.  

Anthony Woodward  

Yeah, little by little. It's interesting. You're even—that quote you gave from the deputy privacy commissioner in New Zealand.

Anthony Woodward  

I was at a presentation that was very late last year. I think that quote you're talking about was earlier in the year. And she'd actually changed the quote to say that it was no longer the sleeping giant, but in fact was the awake giant. Of data of cyber security, because we certainly saw through last year and we won't go through all the examples here in this conversation, but example after example of retention of data resulting in large privacy breaches around the globe, right?

Anthony Woodward  

Where the last stat I saw from McKinsey was there was something like 100, 000, 000 people globally that had had their data over retained. And exposed from organizations, and I think that was driving regulators to think more and more about these problems.  

Wanne Pammelaar  

I believe that data deletion or records deletion destruction is the ultimate sign of trust.

Wanne Pammelaar  

It's basically when you tell your stakeholders, your customers, employees. We will let go of your data because we feel that your privacy, security, and well-being is more important than our short term economical gain, yeah? So, the fact that you can actually say, I dare to delete, yeah? We even have a t shirt, I dare to delete data.

Wanne Pammelaar  

We hand them out during Conferences, but that is a real sign of that trust. And we have done a bit of a survey with another company, and it actually showed that if you are actively deleting data and you are transparent about it, because you do need to brag about it, you can increase the consumer trust with 50%.

Wanne Pammelaar  

So, the fact that you, that, yeah, I got hacked, but I didn't have your data anymore. So, there was nothing to share, it is something that people really, really appreciate. Okay. It's very scary because it's against human nature by origin hunter gatherers. We need to gather the items to survive. Yeah, and the same goes for information.

Wanne Pammelaar  

The same goes for records. I've had so many discussions and people can get super attached to their data. I was, uh, as a lawyer, I once represented a client who was the biggest retailer here in the Netherlands, and I had a loyalty program. And the loyalty program came in the news, elementary questions asked.

Wanne Pammelaar  

Boom, privacy investigation. And one of the issues was retention. And I was looking at kind of like the batch files and everything. And I was sitting there with the data analyst, and I said, okay, so this should go. How old is it? 25 years. And I said, this should go. And he said, no, but, and he started crying and I said, what's wrong?

Wanne Pammelaar  

And then he said, well, I was there when we started the loyalty program. These are the first 500 people that signed up. And then in about three years, when there's the 25 year anniversary, I will, that will be the year that I'm gonna have my retirement. And I wanted to do this special thing with the original 500 people who signed up, right?

Wanne Pammelaar  

He was so attached to it. And I said, sorry, dude, it has to go. So, yeah, it's scary. I know.  

Anthony Woodward  

It's hard to know what to keep and what to let go of, and there are, that's why these rules exist. If you were to summarize this all up, what is it that you think would be the one or two things leaving this conversation you would tell someone to go away and do today?

Anthony Woodward  

If they could do nothing but those things, what would that look like?  

Wanne Pammelaar  

I think I've made the point already that you need a retention schedule, so I will not make that point. Yeah, but I think if you really want to manage your records and data properly, start by building in the basics. So, the first thing you need to do is have to have a very serious legal hold process.

Wanne Pammelaar  

So, you need to have a system where you say, it's silly, but with deletion and destruction, you need to cater for the exception first. So, you need to be able to preserve evidence, should you be compelled to. So, that could be, there's a litigation or a threatened litigation, and we now need to preserve the proof, we need to freeze it, and we need to make sure that If we implement retention in our systems, that we can kind of supersede that because when it's gone, it's gone and we can't preserve it anymore.

Wanne Pammelaar  

Yeah. So, that's the first thing, I guess. And the second thing is, I would say, make an assessment, prioritize. You cannot fix your entire IT landscape like that. You need to look at it seriously. You need to look at where are your biggest risks? What do you need to fix first? And be realistic. This is going to be a project that I think is bigger than any privacy or AI project will be.

Wanne Pammelaar  

And it's fundamental to anyone with AI ambitions. So, it's better, you know, start now or fail very soon.  

Anthony Woodward  

Yeah, that's amazing advice. Well, Wanne, this has been an amazing conversation. I could probably talk to you for hours, but I realize it's getting late there, and you probably want to go to bed at some point.

Anthony Woodward  

The big takeaway, I think, for most of the audience is there is a lot of different legislation. It's changing really rapidly. It is difficult to stay on top of this, and I think, you know, what's amazing around what you're doing at filerskeepers, and why we're really excited to be working with you here at RecordPoint is you're solving that problem.

Anthony Woodward  

And that's a huge pain point for customers. So, thank you. Thank you for the conversations we've been having. I really enjoyed the time and look forward to when we catch up again soon.  

Wanne Pammelaar  

Well, maybe I can add to that, that when I started the company, I had like a moonshot slogan and I said, let's solve records retention once and for all.

Wanne Pammelaar  

And when you say this, you can do this for any problem in the world, basically. And so, it's almost a bit cheesy, but I think the people who are in records management understand. What we mean. I'm very optimistic. We started off by reading all the laws in the world. People told us that that can't be done. We did it now.

Wanne Pammelaar  

I think we need to just fix it in the whole landscape. I'm very positive. My prediction is that maybe in like three years we have got this thing under control and now I can see it. How we would do that and definitely through a partnership like we have with record points. So, that's awesome  

Anthony Woodward  

Great. Thank you.

Anthony Woodward  

Have a good rest of your evening and night. I'm Anthony Woodward. Thank you very much for tuning in. This has been an episode of FILED.  

Wanne Pammelaar  

Thank you.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic