Privacy in Practice

Privacy in M&A: Getting Acquisition-Ready

In this episode of Privacy in Practice, Kellie du Preez and Danie Strachan speak with Gabe Maldoff, a partner in Goodwin’s Data, Privacy, and Cybersecurity practice, about privacy in mergers and acquisitions. The conversation explores why investment rounds and acquisitions often become forcing factors for privacy maturity, especially for startups and fast-growth companies preparing for their next stage of growth. The discussion covers what sellers should prepare before due diligence, how privacy representations work in transaction documents, when disclosure is legally required versus strategically useful, and why the way a company explains its privacy posture can matter as much as any underlying issues. What this episode covers: * Why investment rounds and acquisitions can drive privacy maturity  * How uncertainty around data practices creates deal friction * The difference between required legal disclosures and strategic disclosures * Why buyers often evaluate security incidents based on the quality of the response  * Why AI representations and vendor diligence are becoming more important in deals * How data governance, privacy notices, and recordkeeping can support acquisition readiness * Three practical steps companies can take today to better position themselves as acquisition-ready And so much more! Connect with Gabe Maldoff here: LinkedIn [https://www.linkedin.com/in/gabe-maldoff-74755646/] Connect with Kellie du Preez here: LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] Connect with Danie Strachan here: LinkedIn [https://www.linkedin.com/in/danie-strachan/] Follow VeraSafe here: LinkedIn [https://www.linkedin.com/company/verasafe/posts/?feedView=all] If you enjoyed this episode, make sure to subscribe, rate, and review it. EPISODE HIGHLIGHTS: * [05:20] The Biggest Privacy Deal Breakers The issue  is not necessarily the existence of privacy gaps. More problematic is not knowing they exist. Buyers can price risk, but they can’t price uncertainty. Transparency and self-awareness beat perfection every time. * [20:47] Security Incidents: What to Disclose and How Many companies will face an incident eventually. What matters most is the quality of the response, including proper investigation, the right advisers, and taking ownership. A big breach handled well raises fewer red flags than a small one handled poorly. * [34:21] The Most Valuable Privacy Investment You Can Make Not every company needs a CPO, but every company needs someone who owns privacy. The right person drives milestones, communicates risk to executives, and brings the calm confidence that buyers look for. People are the single most lucrative investment in privacy. * [46:04] Three Things You Can Do Today to Be Acquisition-Ready Buyers are not looking for perfection. They are looking for signs of operational maturity, accountability, and trustworthiness. We explore several areas that can have an outsized impact on how companies are evaluated during diligence. EPISODE RESOURCES: * Gabe Maldoff on LinkedIn [https://www.linkedin.com/in/gabe-maldoff-74755646/] * Kellie du Preez on LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] * Danie Strachan on LinkedIn [https://www.linkedin.com/in/danie-strachan/] * VeraSafe Website [https://verasafe.com/] Privacy in Practice is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]. Connect with us at podcast@verasafe.com This podcast is brought to you by VeraSafe [https://verasafe.com/].

Empowering Teams to Exercise Judgement in Privacy Decisions

In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan sit down with Leah Camilla R. Besa-Jimenez, Group Head, Enterprise Risk Management at PLDT, about how she approaches privacy inside one of the largest Southeast Asian telecommunications companies. The discussion focuses on privacy as an operational practice, not only a legal one: using risk matrices to structure decisions, coaching teams to exercise judgment, raising privacy issues early in project conversations, and shifting the company mindset from data ownership to data stewardship.  In this episode, the conversation centers on how privacy functions inside day-to-day operations. Leah explains that privacy is largely about process: how data is handled, how risks are assessed, and how teams are trained to identify issues before launch. The episode also discusses how leaders must empower privacy teams to make better decisions. What this episode covers: * Why privacy work is often operational, not only legal * How risk is assessed using impact, likelihood, and specific privacy dimensions * Why teams need to exercise judgment instead of waiting for answers * Why privacy questions should be addressed early in design and planning * Why customer data should be treated as something the company stewards, not owns * And so much more! Connect with Leah Camilla R. Besa-Jimenez here: LinkedIn [https://www.linkedin.com/in/leahbesajimenez/] Connect with Kellie du Preez here: LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] Connect with Danie Strachan here: LinkedIn [https://www.linkedin.com/in/danie-strachan/] Follow VeraSafe here: LinkedIn [https://www.linkedin.com/company/verasafe/posts/?feedView=all] If you enjoyed this episode, make sure to subscribe, rate, and review it. EPISODE HIGHLIGHTS: * [00:05:21] Using Risk Matrices to Structure Decisions Risk assessments are used to guide conversations by assigning scores based on impact and likelihood. This helps teams explain their reasoning and makes discussions more structured and less reactive. * [00:09:04] Privacy by Design as a Cultural Practice Privacy by design is described as a behavior, not just a process. Embedding privacy depends on how teams think, interact, and raise issues during day-to-day work. * [00:10:59] Breaking Risk Into Specific Dimensions Risk is not treated as a single concept. It is broken down into customer impact, compliance impact, potential harm, exercise of rights, and operational cost, allowing for more precise evaluation. * [00:14:54] Clarifying Roles in Decision-Making Privacy teams do not make business decisions. Their role is to outline the risks associated with each option so that the business can make an informed choice. * [00:19:51] Planning for Exercise of Rights Early Teams are expected to consider how customers will exercise their rights as part of the design process, not after implementation. * [00:22:10] Starting With Conversation, Not Just Assessment Rather than relying only on formal reviews, early conversations are used to understand what teams want to build and to identify privacy considerations before requirements are finalized.I  * [00:24:18] Moving From Fear to Practical Enablement Privacy often starts as a response to risk or pressure, but the goal is to integrate it into how the organization operates so it supports decision-making rather than blocking it. * [00:27:43] Reframing Data as Stewardship Customer data is not owned by the company. It is entrusted to the company to process according to what the customer agreed to, which changes how responsibilities are understood. EPISODE RESOURCES: * Leah Camilla R. Besa-Jimenez on LinkedIn [https://www.linkedin.com/in/leahbesajimenez/] * Kellie du Preez on LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] * Danie Strachan on LinkedIn [https://www.linkedin.com/in/danie-strachan/] * VeraSafe Website [https://verasafe.com/] Privacy in Practice is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]. Connect with us at podcast@verasafe.com This podcast is brought to you by VeraSafe [https://verasafe.com/].

California Is Watching: Unpacking Enforcement Trends with Daniel Goldberg

California continues to set the pace for U.S. privacy enforcement, and 2025 is proving to be a pivotal year. In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Daniel Goldberg, Partner and Chair of the Data Strategy, Privacy, and Security Group at Frankfurt Kurnit Klein & Selz and 2025 California Privacy Lawyer of the Year, to unpack what’s really happening behind the scenes of CCPA enforcement. Daniel shares firsthand insights from public and non-public investigations, including trends emerging from actions involving companies like Sephora, DoorDash, and Jam City. The conversation explores what regulators actually prioritize, why misconfigured opt-outs and vendor oversight remain the most common pitfalls, and how the new Delete Act and data broker rules could dramatically shift compliance obligations. What this episode covers: * California’s accelerating enforcement landscape under the CCPA and what’s changed in 2025 * Why most enforcement actions stem from misconfigured consumer rights processes * The rising settlement amounts and what being on notice means for businesses * Public vs. non-public settlements and what regulators really prioritize * Vendor risk exposure, cookie banner failures, and contract deficiencies * How to operationalize opt-outs across websites, apps, and connected ecosystems * Data broker registration enforcement and what the Delete Act changes in practice And so much more! Connect with Daniel Goldberg here: LinkedIn [https://www.linkedin.com/in/danielmgoldberg/] Connect with Kellie du Preez here: LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] Connect with Danie Strachan here: LinkedIn [https://www.linkedin.com/in/danie-strachan/] Follow VeraSafe here: LinkedIn [https://www.linkedin.com/company/verasafe/posts/?feedView=all] If you enjoyed this episode, make sure to subscribe, rate, and review it. EPISODE HIGHLIGHTS: * [02:58] What’s Changing in California Privacy Enforcement California’s privacy regime has moved from abstract compliance talk to sustained, precedent-setting enforcement. What began as a slow, symbolic action after the CCPA’s 2020 rollout has evolved into a coordinated enforcement landscape led by both the California Attorney General and the California Privacy Protection Agency (CPPA). Public cases, such as Sephora, DoorDash, Tilting Point Media, and Jam City only represent part of the picture. Across actions, regulators are signaling consistent priorities, including clear notice, lawful targeted advertising practices, functional opt-outs, and compliant vendor contracts. * [11:17] How Enforcement Starts Regulatory enforcement can begin the same way customers experience your brand: someone identifies a potential issue while browsing your website, reading about your company, or attempting to exercise their privacy rights. Consumer-facing companies are naturally more visible to regulators, since regulators are consumers too, but the biggest trigger is still complaints, especially when an organization advertises privacy rights and then fails to honor those rights due to misconfiguration, slow response, or a broken process. Many cases aren’t about willful neglect. Often, they stem from gaps between what a company thinks the law requires and what regulators expect in practice. And while companies often study post-investigation website changes for guidance, they do not represent a regulator endorsement nor should they be used as a compliance template. The practical move is to think like a regulator. * [22:36] Why GDPR Compliance is not enough in the U.S.  While the GDPR is rooted in human rights, most U.S. state privacy laws are grounded in consumer protection. That philosophical divide shapes everything from compliance strategy to enforcement risk. U.S. laws tend to focus on notice, opt-outs, unfair or deceptive practices, and contractual safeguards. GDPR, by contrast, is structured around broader accountability and rights-based principles. As enforcement expands and legal challenges grow, companies need more than a checklist. An effective privacy strategy requires practical judgment about real-world risk. * [45:10] The Cross-Device Opt-Out Obligations Regulators expect companies to honor opt-outs signals across all your platforms where a user can be reasonably identified. Companies are expected to effectuate an opt-out across connected systems when data links exist or when a user is identifiable within the ecosystem. If systems genuinely don’t connect and it’s not reasonable to link them, the obligation may be narrower. But companies cannot use fragmentation or technical silos as a workaround or excuse for not honoring opt-outs.  * [53:22] The AI Service Provider Gray Area  When an AI vendor uses client data to train its own models, it may no longer qualify as a “service provider” under the CCPA. Danie Strachan draws a direct parallel to the GDPR controller and processor distinction, while Daniel and Kellie discuss why deidentification is the only defensible safe harbor for companies navigating this gray area.  EPISODE RESOURCES: * Daniel Goldberg on LinkedIn [https://www.linkedin.com/in/danielmgoldberg/] * Kellie du Preez on LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] * Danie Strachan on LinkedIn [https://www.linkedin.com/in/danie-strachan/] * VeraSafe Website [https://verasafe.com/] Privacy in Practice is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]. Connect with us at podcast@verasafe.com This podcast is brought to you by VeraSafe [https://verasafe.com/].

The Arc of a Cyber Incident and Strategies for Enterprise Response, with Lisa Sotto

In this episode of Privacy In Practice, hosts Kellie du Preez and Danie Strachan welcome Lisa Sotto, Chair of the Global Privacy and Cybersecurity Practice at Hunton Andrews Kurth, and a Star Performer for Privacy and Data Security (Chambers and Partners), for a detailed, practitioner-level conversation on how cyber incidents actually unfold, from first anomaly detection through board notification and the regulatory long tail that follows. The discussion traces what Sotto calls “the arc of an incident”: mobilizing the response team under privilege, retaining forensic investigators and extortion negotiators, coordinating with law enforcement agencies, and managing global notification obligations. Kellie raises the practical complexity of locating affected data subjects when address data is unavailable, the cost dynamics of cyber insurance, and why controllers remain responsible for regulatory notification even when the breach originates with a vendor. Danie examines the ethical and legal dimensions of ransomware payment decisions and extends the accountability discussion across the Atlantic to NIS 2's executive liability provisions—noting that several VeraSafe clients were unaware the directive applied to them. Together, the three  examine the emerging trend of personal executive accountability through the lens of three landmark matters: the criminal conviction of Uber’s chief security officer, the FTC’s individual consent order against Drizly’s CEO, and the SEC’s recently dismissed action against SolarWinds and its CISO. They also explore why boards have evolved from what Lisa describes as  “deer in headlights” to active participants in cyber governance, and what practical steps—from tabletop exercises to vendor diligence to immutable backups—separate organizations that survive a breach from those that do not. What this episode covers: * The current nation-state and criminal threat landscape, including SALT Typhoon, the $1.5B Bybit theft, and DPRK imposter IT workers * How social engineering and agentic AI have rendered traditional phishing detection obsolete * The "become aware" notification threshold and the strategic case for early regulatory disclosure * Why one incident response plan with severity levels outperforms multiple plans * Ransomware payment decisions: sanctions risk, decryptor reliability, and the limits of criminal promises * NIS2 executive accountability and the CCPA cybersecurity audit requirements * How law enforcement agencies operate as strategic partners rather than adversaries during active incidents  * And so much more! Lisa Sotto is Chair of the Global Privacy and Cybersecurity Practice at Hunton Andrews Kurth. Recognized as one of the National Law Journal's 100 most influential lawyers in America and named a Star Performer for Privacy and Data Security by Chambers and Partners, Lisa brings decades of experience advising governments and Fortune 500 companies on cybersecurity incident response and data protection strategy. Connect with Lisa Sotto here: LinkedIn [https://www.linkedin.com/in/lisa-sotto-028b086/] Connect with Kellie du Preez here: LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] Connect with Danie Strachan here: LinkedIn [https://www.linkedin.com/in/danie-strachan/] Follow VeraSafe here: LinkedIn [https://www.linkedin.com/company/verasafe/posts/?feedView=all] If you enjoyed this episode, make sure to subscribe, rate, and review it. EPISODE HIGHLIGHTS: * [05:02] How Ransomware Attacks Really Work Today Cybercrime today is not cinematic; it’s routine, opportunistic, and relentless. Financially motivated attackers target any organization they can access, exploiting technical gaps or human weaknesses through social engineering. Once inside, they quietly explore systems, stage sensitive data for exfiltration, and then apply pressure. These groups evolve, disband, and re-form, but their playbook stays consistent: find a vulnerability, take what’s valuable, and extort. * [10:27] The First Critical Hours After a Breach AI has transformed cybersecurity risk by making sophisticated attacks easy to execute and nearly impossible to spot. Perfectly written phishing emails, deepfake voices, and fake videos have erased the old warning signs, shifting the threat from technical weaknesses to human instincts. Urgency, authority, and the desire to be helpful are now the most exploited vulnerabilities. Training still matters, but it’s no longer enough to rely on yesterday’s cues. Organizations must assume deception will look real and build new safeguards to protect people from being manipulated into doing the wrong thing for the right reasons. * [21:10] Why Cyber Is a Leadership and Board Responsibility Cybersecurity incidents don’t fail organizations because of technology alone. They fail when teams operate in silos. A breach is an enterprise-wide crisis that requires coordinated action across IT, security, legal, privacy, communications, HR, risk, and audit, with consistent internal and external messaging. Daily alignment is essential. Equally important, involving law enforcement early can materially improve outcomes. These agencies treat companies as victims, share threat intelligence, and help map attacker tactics, while collaboration may later support prosecution through bodies like the US Department of Justice. * [10:30] The Arc of a Cyber Incident: Mobilising the Response Under Privilege Lisa walks through the full incident lifecycle: anomaly detection (or the dreaded media call), mobilising the pre-assembled response team through out-of-band communications, retaining forensic investigators under legal privilege, engaging extortion negotiators, coordinating with law enforcement, and navigating cyber and data protection notification obligations across jurisdictions with timelines ranging from 3 hours (Chile) to 72 hours (EU). She describes live threat actors listening on incident response calls and the necessity of forcing cameras on.  * [31:19] Personal Liability: From the Uber Conviction to the SolarWinds Dismissal The discussion traces the three landmark cases establishing the trend of individual executive accountability: (1) the criminal conviction of Uber’s CSO for concealing a breach; (2) the FTC’s consent order that followed Drizly’s CEO personally for ten years, requiring him to implement security measures at any company where he holds a leadership role; and (3) the SEC’s action against SolarWinds’ CISO for allegedly misrepresenting security posture, which was recently dismissed. Strachan adds NIS2’s executive accountability provisions and du Preez notes the CCPA cybersecurity audit requirements — critically observing that these apply to companies with revenue as low as $50M, not just billion-dollar enterprises. * [44:40] Ransomware Negotiations: Sanctions, Reliability, and the Ethics of Payment This section provides insights into a practitioner’s framework for the ransom payment decision: when payment for a decryptor may be the only alternative to shutting doors, why immutable backups change the calculus, why paying for data deletion rarely works (criminals may not delete, and notification obligations remain regardless), how sanctions screening determines whether payment is legally permissible, and the sobering reality that some decryptors arrive corrupted and some companies are re-extorted after paying. EPISODE RESOURCES: * Lisa Sotto on LinkedIn [https://www.linkedin.com/in/lisa-sotto-028b086/] * Kellie du Preez on LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] * Danie Strachan on LinkedIn [https://www.linkedin.com/in/danie-strachan/] * VeraSafe Website [https://verasafe.com/] Privacy in Practice is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]. Connect with us at podcast@verasafe.com This podcast is brought to you by VeraSafe [https://verasafe.com/].

How CBPR Certification Builds Trust and Enables Global Scale, with Charmian Aw

In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Charmian Aw, Partner at Hogan Lovells, to examine the growing relevance of the Cross-Border Privacy Rules (CBPR) System in an increasingly global data economy. Learn why organizations such as Cisco, Mastercard, and Alibaba have obtained certification, why the framework is gaining renewed attention among multinational organizations, and how it complements existing transfer mechanisms such as Standard Contractual Clauses (SCCs). The conversation also explores how CBPR certification plays a role in procurement, regulatory cooperation, and the evolution of responsible data processing. What You'll Learn:  * Why the CBPR System is gaining momentum globally beyond APEC * The commercial case for pursuing both PRP and CBPR certification * How certification actually works * The competitive advantage hiding in your procurement checklist * Why AI and healthcare use cases are accelerating CBPR adoption * How the Global Cross-Border Privacy Enforcement Arrangement (Global CAPE) enables regulators to share information and coordinate cross-border investigations * Why regulatory recognition matters and how it may evolve as more jurisdictions join * And so much more! Charmian Aw is a leading privacy and cybersecurity advisor with deep knowledge of frontier technologies, including AI, data protection frameworks, and international compliance strategy. In this episode, she shares insights from the recent Global CBPR forum, which she attended alongside VeraSafe, a recognized CBPR Accountability Agent. The discussion offers a practical and engaging look at how regulatory developments translate into real-world operations and commercial outcomes. Together we discuss how organizations can move beyond compliance as a checkbox to use accountability frameworks such as the CBPR and PRP Systems to support trust, scalability, and business value. Connect with Charmian Aw here: LinkedIn [https://www.linkedin.com/in/charmian-aw-40bb158a/]Connect with Kellie du Preez here: LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] Connect with Danie Strachan here: LinkedIn [https://www.linkedin.com/in/danie-strachan/]Follow VeraSafe here: LinkedIn [https://www.linkedin.com/company/verasafe/posts/?feedView=all] If you enjoyed this episode, make sure to subscribe, rate, and review it. EPISODE HIGHLIGHTS: * [04:45] Why the CBPR Deserves More Attention The CBPR is widely underhyped because many organizations still approach it with the wrong mindset, treating it as a nice-to-have rather than a strategic, regulator-backed tool. As data flows across borders faster than regulation can keep up, relying on fragmented, country-by-country compliance is neither scalable nor sustainable. CBPR reframes that conversation by offering a unified, multi-stakeholder framework that is designed to support continuous, compliant data transfers across diverse jurisdictions with visible regulatory participation and endorsement * [17:40] How Certification Actually Works To earn CBPR certification, organizations must apply in their home country through an approved accountability agent, an auditor-like partner who evaluates whether your privacy program meets the framework’s principles. The process involves completing a structured assessment, closing identified gaps, and maintaining ongoing compliance through annual renewals. Importantly, certification requires core privacy practices to already be in place and encourages a truly holistic privacy program. * [23:51] Overlap With ISO, SOC 2, and GDPR CBPR certification strategically aligns with existing frameworks, such as GDPR, ISO 27001, SOC 2, and the Data Privacy Framework (DPF). Many of the same controls already exist in your privacy and security programs, making CBPR a natural next step rather than a reinvention of the wheel. More importantly, its value isn’t measured by the cost of certification but rather by the trust signal it sends to customers, regulators, and procurement teams. As more organizations add CBPR certification to procurement and vendor risk checklists, failing to adopt it risks becoming a competitive disadvantage. The true ROI lies in regulatory endorsement, market confidence, and being positioned ahead of the compliance curve. * [28:51] Practical Business Benefits Organizations relying solely on adequacy decisions or SCCs are betting their compliance on paperwork that few people truly understand or can operationalize. Global CBPR certification flips that dynamic: instead of signing complex, non-negotiable contracts and hoping the business can keep up, it delivers a regulator-endorsed, trusted compliance stamp. By requiring real assessments, cross-functional involvement, and evidence-based governance, Global CBPR transforms data transfer compliance from a legal checkbox into a practical, scalable framework that reduces contract risk, builds customer trust, and future-proofs operations in a fragmented regulatory world. EPISODE RESOURCES: * Charmian Aw on LinkedIn [https://www.linkedin.com/in/charmian-aw-40bb158a/] * Kellie du Preez on LinkedIn [https://www.linkedin.com/in/kellie-du-preez-a8abb3/] * Danie Strachan on LinkedIn [https://www.linkedin.com/in/danie-strachan/] * VeraSafe Website [https://verasafe.com/] Privacy in Practice is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]. Connect with us at podcast@verasafe.com This podcast is brought to you by VeraSafe [https://verasafe.com/].