Beyond GDPR: The Real Purpose of Data Protection

Show Notes

This episode is a fascinating and deeply human conversation with one of the most thoughtful voices in the world of privacy and information governance. Emma Martins served as Data Protection Commissioner for the Bailiwick of Guernsey for over a decade. 

In our conversation, Emma reminds us that data protection is about far more than compliance checklists, privacy notices, or subject access requests. At its core, data protection is about people, power, democracy and human dignity.

We explore the historical roots of data protection law, including the lessons Europe learned from surveillance and authoritarianism after World War Two, and why those lessons matter now more than ever in the age of AI, predictive policing, algorithmic bias and mass data collection.

Emma also shares her reflections on:

• The need for data protection professionals need to reconnect with their “why”
• The importance of diversity, curiosity, and collaboration in the IG profession
• And how we can all move from being seen as blockers to becoming trusted cultural leaders inside our organisations

This is not a conversation about technology or the minutiae of data protection law; it’s a conversation about humanity and why we are here as data protection professionals. 

Be sure to check out below, Emma’s recommendations for books and films about data protection and privacy. 

Emma’s Watch List

• Can’t Look Away 
• The Social Dilemma
• Citizen Four
• Terms and Conditions May Apply
• The Great Hack
• The Circle
• Ex Machina
• Coded Bias
• Mr Bates vs The Post Office
• The Social Network
• Minority Report
• Capture - BBC

Books

• The Age of Surveillance Capitalism - S Zuboff
• Nothing to Hide - D Solove
• Beyond Data - E Renieris
• Your Face Belongs to Us - K Hill
• More than a Glitch - M Broussard
• You are Not a Gadget - J Lanier
• The Political Philosophy of AI - M Coecklebergh
• Technology is Not Neutral - S Hare
• Data Ethics of Power - G Hasselbach
• Logging Off - A Zeynap Walton
• Unmasking AI - J Buolamwini
• Privacy is Power - C Veliz
• Human Rights, Robot Wrongs - S Alegre

This podcast is sponsored by Phaselaw - a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn't designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days.

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment.

Transcript

Ibrahim Hasan 0:06

Welcome to Guardians of Data, the show where we explore the world of information law and information governance. From privacy and AI to cybersecurity and freedom of information. I'm Ibrahim Hassan. This episode is a fascinating and deeply human conversation with one of the most thoughtful voices in the world of privacy and information governance. Emma Martins served as Data Protection Commissioner for the Bailiwick of Guernsey for over a decade. She is currently the Chief Commissioner at the UK's Data and Marketing Commission. In our conversation, Emma reminds us that data protection is about far more than compliance checklists, privacy notices, or subject to access requests. At its core, data protection is about people, power, democracy, and most importantly, human dignity. We explore the historical roots of data protection law, including the lessons Europe learned from surveillance and authoritarianism after World War II, and why those lessons matter now more than ever in the age of AI, predictive policing, and mass data collection. Emma also shares her reflections on the need for data protection professionals to reconnect with their why, the importance of diversity, curiosity, and collaboration in the IG profession, and how we can all move from being seen as blockers to becoming trusted cultural leaders inside our organizations. This is not a conversation about technology or the minutiae of data protection law. It's a conversation about humanity and why we are here as data protection professionals. Let's jump in. Emma, welcome to the show. Thank you so much. Let's start with the big question, Emma. What's data protection law really for? Is it about compliance or is it something deeper?

Emma Martins 2:04

Well, and it's most simple. The answer to that is yes, it's about compliance because we have a law, and as practitioners, we need to know the law and we need to know how to interpret it and implement it. But my background is social science, and I'm fascinated by human behavior. So I'm kind of naturally very drawn to the bigger questions. Why do we have a law in the first place? What do we want from it and why? And what does it want from us and why? And certainly, from my own perspective and my personal experiences over the years, I've been in this profession a quite long time. You know, when you tap into compliance at that level, it leads certainly in my experience, inescapably to something deeper. And of course, you can choose not to dive deeper and focus entirely on the compliance in its strictest form. I'm not suggesting there's anything wrong with that at all, but I do think that when we engage with something, whatever it may be, at a deeper, more personal, more values-based level, if you like, something changes and something good can happen as a result of that. Because I mean, I believe so strongly that data protection is ultimately about people. It's about us, right? It's about you, it's about me, it's about our families and our friends, how we're treated and how we how we treat others and how we're protected and how how power is exercised. It's a profoundly human piece of legislation. And that sometimes gets missed, I think, if we talk solely about compliance.

Ibrahim Hasan 3:36

Absolutely. I agree with you there. I was reading about a book recently, Why Privacy Matters by Neil Richards, and this quote really resonated with me. The future of privacy is the future of our society. Privacy matters because it helps us to develop our identities. So very much I agree that it is about people. Let's rewind a bit and talk about the history of data protection laws. It's more than a compliance issue, of course. That's important for practitioners to remember when doing their day-to-day work of privacy notices, DPIAs, and subject access requests. Can you just remind us, where does the real story of data protection law begin? We know it doesn't begin when the GDPR came into force. It doesn't even begin when the Data Protection Act 1998, because I think both of us are still old enough to remember that one. It doesn't even begin then, does it, Emma?

Emma Martins 4:31

No, and one of my favorite quotes, probably of all time, I've got lots, I'm a I'm a quote hoarder, if I'm honest. But one of my favorites is from a man called David Flatty. He was a privacy commissioner in British Columbia quite some time ago. And I heard him speak, must be many, many years ago now. And he said the following. I take this everywhere with me, by the way. And he said the following: European data protection laws include the hidden agenda, are discouraging the recurrence of the Nazi efforts to control the population, and so seek to prevent the reappearance of an oppressive bureaucracy that might use existing data for nefarious purposes. This concern is such a vital foundation of current legislation that it's rarely expressed in formal discussions. And this helps to explain the general European preference for strict licensing systems of data protection. Thus, European legislators have reflected a real fear of Big Brother based on common experience with the potential destructiveness of surveillance through record keeping. None wish to repeat the experiences endured under the Nazis during World War II. And you know, I remember hearing that so well and being so struck by the deep history of this that it was, like you said, it wasn't, it wasn't just something last decade or a couple of decades ago. And when I heard him speak, I was relatively new to data protection at that time and I was still finding my way. And it was one of those moments, and I've had I've had quite a few of those throughout my career, when you hear something or you read something, and the ground shifts in you a little bit when you start to see things differently or see things that you haven't seen before. And I've always tried to be really open to those moments and keep hold of them, and importantly to learn from them, and they've absolutely become central to how I approach the roles that I've had. And it's really easy to get caught up, I think, in discussions, understandably discussions about articles of law, GDPR, adequacy, fines, all that good stuff. But when I heard Commissioner Flaty say that, and I know this risks sounding a bit cliched, and I'm sorry, but it doesn't mean it's not true, I kind of fell in love with the law, you know, with its premise. And I just felt an overwhelming sense of gratitude, you know, that I was living in a time when the lessons from that unspeakably awful time in human history were at least being reflected on and trying to be learned from. And, you know, it's it's hard not to say it, but looking at the world right now, we need to be drawn back to that, to the history, to the importance of the roots of this and what a world without some of these rights, which we often take for granted, and without these rights and protections, what that world that we live in would look like. So, of course, it's about articles of law, it's about trade and free-flowing data, but it's also, as I said before, about something fundamentally human. And I would love us to talk more and engage more about those historical roots, you know, not just because it's it's hugely interesting, uh, but also I think it really encourages us, certainly encouraged me, to look at it through a certain lens. And I would argue that that lens is a more complete and more meaningful lens because it helps to ground the work that we do so firmly in human values. You know, wouldn't it be something if all data protection induction or training started with that quote? You know, Flaherty spoke of this being a hidden agenda. And I just think that's a bit sad. I think it should be out in the open. I think we should be loud and proud of the history, particularly at this point in our own history.

Ibrahim Hasan 8:05

So you mentioned that the whole purpose is, amongst other things, to protect us from an oppressive bureaucracy, the fear of Big Brother, the fear of the all-knowing, all-encompassing state, uh, policing people perhaps in a way which would be oppressive or may perhaps even have impact on certain minorities. Uh, we've got a guest coming up very soon talking about predictive policing and AI and how that is currently being used in a way which is having an impact on certain communities. But the wider picture in terms of data protection legislation is that it protects all of us. So you've emphasized the importance of seeing the big picture, particularly for data protection officers. But some professionals that we speak to, particularly the new ones, they don't have time to focus on the why. Privacy becomes very much a checklist for them. Why is that? And what more can they do to step beyond the DPIAs, the checklists and everything else to understand that important history of the legislation?

Emma Martins 9:08

Well, it like you said, it's it's absolutely about time. And if we're talking about the sense of feeling sort of stuck in your compliance box, and I and I can only speak for myself, and I was a practitioner that that felt stuck. I was a DPO in the public sector at the start of my career, and data protection was was one of the things on my job description. It wasn't the only one, and it's it's worth noting that it was last on the list, actually. And that combined with no one really being able to tell me what they wanted or needed me to do or what good looked like, that meant I was kind of left alone to get on with it, and that meant I was a bit lost, if I'm honest. And and the fact that I was pretty ineffective at my job looking back, I really was, it that wasn't down to a lack of enthusiasm. Um, but I was a bit directionless. I hadn't had that moment of kind of falling in love with the legislation that I had a bit later on in my career. So it was all very checklisty, and I saw it like that, and I and I approached it like that, and that meant that everyone else around me did too. And I do see practitioners kind of stuck in that rut sometimes where they feel disconnected from the core of the business, they don't necessarily feel supported, they don't feel valued, and I felt all of those things. And being totally honest, you know, for a while I kind of blamed everybody else except myself. And I I had this job to do, this important job, the busy job, a long checklist. And that didn't encourage engagement though from other people. It really didn't. And but once I started to do things differently, that we've just talked about, the really finding your why, you need the time to do that. But when I started to do that, that's when things started to change. I won't pretend for a second that it's a silver bullet or or a quick fix that there really isn't one here. But when you bring, when you're allowed, when you're given the space to bring and understand the clarity of purpose, when when you you learn to communicate in that way, in a way that means something to your audience. And when you particularly important, I think, when you can engage with senior leadership, because they're the ones that can give you that time and that headspace that you need, that can be a game changer. And in turn, that can lead to, you know, we talk about the word culture a lot, but it can lead to cultural engagement. And that can take time, right? But if you get it right, it can be so powerful. And I think people know when they're in the room with someone that really feels it, that that's real, that has integrity, that's not just about going through the motions or not just about a checklist. It's about looking after people, it's about looking after the organization. And I think that points again to something that I think about a lot. That we do still have, right? I think data protection's always had a bit of a PR problem, but I think we still have that. And I always end up circling back to this, the sort of PR, the cons, what people see in this area. You know, we may love our jobs. I certainly love my job, but the world outside this very lovely bubble of data protection and privacy people often doesn't love it. And we need to challenge that at every, every opportunity, not by being bossy or superior, but by being humble, by being engaged, by being clear about the why, you know, to help others have that purpose epiphany, if you like. And they then will want to walk lockstep with you as opposed to separate you. But sorry, a long-winded way of saying, firstly, you need to give yourself the gift of time to reflect, because so often we just run headlong into it. And and if the people at the very top don't give you that, don't care about it, however good you are, you're gonna have a very tough time being effective. And the job isn't really gonna feel much fun. So a message for you leaders out there give some time, show some love to your DPOs, to your privacy team. In so many ways, they are the beating heart of your organization. Because you know, data is the most valuable non-consumable asset that any business has. So we need to look after the people that look after that, right?

Ibrahim Hasan 13:11

Absolutely. And it's about public trust as well. If the information governance, the data protection function is doing its job properly with passion and communicating the importance of privacy and information rights, then the public are going to trust that organization more. And that can only be a good thing.

Emma Martins 13:31

Absolutely. I think there's a commercial imperative now to get it right. And consumers are getting more savvy, they're getting more informed. And looking after data, why wouldn't you? It's so valuable to you. Um so there's a human element and there's an economic element. And I think that if you can get the both to time together, that can be a bit of magic.

Ibrahim Hasan 13:48

You've given out a strong call to action in terms of leadership, allowing the data protection practitioners time in order to be able to understand their role and to communicate the importance of their role. But in terms of the professionals themselves, what can they do? Are there any resources, any good books that you would recommend so that they can fully appreciate their role and its importance?

Emma Martins 14:13

There are so many. There are some great groups to join. There's sector-specific groups, you know, NADPO's one example. There's I'm there's lots and lots of organizations to do the research. I'm a very big bookworm. So if you ask me to recommend books, this podcast will be about 14 days long because I can just list them all. So anyone that wants any good book recommendations, please feel free to reach out to me. I I believe so strongly in being interested and curious about the field that we work in. It can give you such insights and really, really help to support the whole grounding and the ethos of the work that you do. So the community we have, I think you'll be testament to it as well, is really, really powerful when it works together. So, yes, there's lots of resources, but again, of course, we're we're time poor, aren't we? So it's very difficult. So looping back, the leaders, your managers, your anyone in this field needs to give their team, their individuals working in this space the time to invest in themselves. Because if they invest in themselves, they will deliver better for the organization, and that's got to be a win-win.

Ibrahim Hasan 15:15

It would be wonderful if you can share your book choices with us, and we'll probably put them at the bottom of the show's notes. Emma's privacy reading list. How does that sound?

Emma Martins 15:27

I would absolutely love to. Because I think we think about books as something sort of sitting outside the work that we do, but I believe so firmly that they are fundamental to the work that we do. They open our eyes, and some of the people writing in this space are just brilliant. So to be able to tap into some of those brilliant minds and learn from them is is a real joy. So I would be delighted to. Thank you.

Ibrahim Hasan 15:49

Now, you mentioned the background, the history, the importance of data protection, considering what happened, World War II prior to that, everything that certain oppressive regimes did was all within the law. There was legislation helping them put their agenda in place. Now, judging by the local election results last week, it's very likely that we're heading for a change in government. Come the next general election. Reform have said that they would leave the European Convention on Human Rights, they would repeal the Human Rights Act, they would replace it with a quote-unquote British Bill of Rights. What impact, looking at your crystal ball, Emma, would that have on data protection rights and laws in the UK?

Emma Martins 16:34

Well, it's such a relevant question and so important. And it's funny, uh it's really not funny, but it's just a fact that as data protection people, we often find ourselves defending why it matters. And we've been very lucky in the last, well, 80 years since the end of World War II. 81 years this year. We've become very used to living in a safe democracy with our rights valued and protected. And I think the frameworks that we put in place that put guardrails in and put protections in and make accountability and lawfulness central, they're not frivolous. They are absolutely the bedrock of democracy and they're the bedrock of protecting citizens. And I think it's very sad when we start to talk about so-called progress that starts to undermine that. So I think we need to think very, very long and hard about what these rights are for. And I've said this before, but that there's never been a more important time for those working in data protection and privacy to be standing up and be loud and proud about what they do.

Ibrahim Hasan 17:36

I think the concern for me is very much, and we've got an episode with Jen Person from Defend Digital Me, a privacy campaign group, particularly in the area of children's data. And she was saying very much within the Children's and Wellbeing Act, the infrastructure is there to create a database of children, starting from the time they are born all the way through to reaching adulthood and beyond. And that data could be used going forward by successive governments for all sorts of other reasons and the function creep can come in whereby the data can be used, for example, to check whether people have appropriate citizenship, whether they have the correct views, all sorts of things. So the concern for me is that the legislation that's currently driving sort of the government's efficiency program, their AI deployment, et cetera, could going forward be used for all sorts of nefarious purposes. And that's worrying, isn't it?

Emma Martins 18:40

It genuinely is. And it's the kind of thing that keeps me awake at night. And again, it's something that data protection people will be familiar with. This you've got nothing to hide. So what's the problem? Well, it's not about hiding, it's about protecting something. And these rights, these protections that we have now are thrown into sharp focus when they're threatened. And we can't retrofit this stuff. So once you put a framework in place, once you put a structure in place that allows the massive surveillance of citizens, the mass processing of personal data from cradle to grave, you need to think very, very carefully. And it's not that we are wearing tinfoil hats when those of us that care about these things throw up flags and say we need to be thinking carefully, we need to be putting the guardrails in place. But what we're doing is we're future-proofing and we're looking after those, particularly those most vulnerable young people, people without power, people without a voice in this. And it's it's as I said before, it's more critical now than ever before, sadly.

Ibrahim Hasan 19:39

Absolutely. So let's turn to one of the hot topics in information governance, if I may, Emma, which is of course AI. It's no longer an issue which is being talked about simply in IT circles. We're all using it, or at least affected by it in terms of the systems that we use. It's being rapidly adopted across the public sector, schools, hospitals, etc. What do you see as the key issues from a privacy perspective when it comes to AI deployment that our practitioners need to be wary of?

Emma Martins 20:11

So, firstly, I do kind of get a bit uncomfortable with the language we use because I think language is so, so powerful, and we should use it very carefully and very thoughtfully. So it's not really artificial, and it's not really intelligence, it's computing. It can be brilliant and it's certainly powerful and getting more so, but it's still computing and it feeds on data, and that's the key for us, huh? Lots and lots of data. So it's all the issues we've had for years, for decades, put on steroids. And of course, we're only really at the beginning of the history of AI. I think what's happened in the last few years has just been eye watering. But it's so often the case in these things. It's often the individuals or groups of people that are already marginalized or disempowered or discriminated against, those are the ones that be most impacted here. And we should never ever forget that. And because AI, by definition, looks backwards of the data that we have already, the world as it was, the biases, the data gaps, the underrepresentation or overrepresentation, all those things risk getting baked in. And, you know, something we don't talk about enough as well, especially in the West, that over two, I think two billion or more people on the planet do not have internet access. And that digital divide needs our attention too. We shouldn't make assumptions about anything. So the difference is real in terms of what AI brings to the privacy community. It's the way that AI is feeding from, it's it's learning from, it's using data on enormous scales. And there are real world consequences of that, right? The potential for harm, what risk looks like, first of all, has changed. The potential for actual harms has scaled up for sure and is going to. Keep scaling up, in my view. But the difference is also about the responsibilities that flow from that. You know, you talk about practitioners in this space. For all of us working in this field, data protection, privacy, information, governance, our jobs almost overnight just got more important than ever. Now they were, I believe they were always important, but never more so than now. And just imagine a world without what we're doing, without the guardrails that we're talking about, that we're trying to get put in place. I think the world will be a much worse place without us. So again, I know I keep looping back, but again, it's a really, really powerful reminder that what we do matters more than ever.

Ibrahim Hasan 22:42

Bias and discrimination for me is the big issue, Emma, when it comes to AI deployment. And we're living in dangerous times, aren't we? One merely needs to consider what's been happening lately. We've covered in previous podcasts the Grok AI controversy, the bias in terms of women and children, the impact that AI tools such as Grok is having on them, the spread of political deep fakes, the general erosion of public trust. So I agree with you that it's absolutely vital that data protection officers increasingly are being called upon to advise in terms of AI deployment. They're aware of what they're doing and the importance of what they're doing. There's a lot of talk at the moment of ethical AI, Emma. What does that term mean to you?

Emma Martins 23:35

So the fact that we have to talk about ethical AI, in my view, points to the fact that AI has not embraced ethics enough. That's kind of my personal take on it. Because we don't have separate ethics teams for building planes or building bridges. The ethics is going to be baked in, right, to every member of the team working on those and to the objectives of the team. But if we are going to talk about ethical AI, then we should be referring to the design, to the development, and the use and the impacts of artificial intelligence and make sure that they align with and embed human values. It's about respecting rights, it's about minimizing harm and all the things that you've just spoken about, reducing and removing biases. And at its core, the way I look at it, I'd love to see AI just being ethical rather than have to think about ethical AI. But until then, let's focus on some of the key principles. And yeah, they're very, very familiar to us all, aren't they? Fairness and non-discrimination. Of course, that that's going to be on steroids now in a world of AI. We certainly don't want it in any area of AI, but particularly thinking about the public services, employment, finance, loans, mortgages, that sort of thing, or and law enforcement is a great example where we absolutely need to be paying attention here. Then transparency and explainability. Again, that's really tough in the world of AI because you can explain to people how this black box works, or you can try. Is it going to mean anything? So you can sort of tick that checklist as, oh, well, I've explained it and I've been clear about it, but is that enough? I don't know. I put that question out. Privacy data protection, I've said it before, AI, it feeds on staggering amounts of data. So ethical use means collecting and using that data responsibly. We've seen lots of coverage around authors, musicians, and artists and the way that their data has been scraped for AI training. Accountability, it's a word that's close to my heart. I don't think we focus on it enough. The questions about accountability for who takes responsibility, right? When AI systems shove out outputs on things, you know, especially if things go wrong, right? So that leads then to safety, reliability. And we hear about this a lot as well, the human in the loop. I think that's really important that it's seen as augmenting human capacity as opposed to replacing it. But and this is really important, it's it's got to be the right human. It's got to be the right set of eyes looking at it. And I think sort of ultimately to sum it up in terms of ethical AI, I just think it's about us thinking about not what AI can do, but what it should do. And that again knows it really sounds really simple, but really fundamental. You know, we don't fly planes as fast as they can go. We fly them as fast as we are determined it is safe for them to go. And I love that to be the way we look at data. You know, we have we have lived with this move fast and break things mantra for a long time now. And quite frankly, some of us don't like what's what's being broken.

Ibrahim Hasan 26:39

You mentioned fairness, accountability, transparency. These are all principles very much baked into data protection legislation, particularly the UK GDPR. So suppose, in a way, if data protection officers do their job, they understand the importance of their role and they do their job properly, so to speak, which I'm sure they all do anyway, then a lot of these issues can be tackled from a data protection perspective just by complying with the UK GDPR.

Emma Martins 27:08

Yes. And I caveat that by saying one of the things that vexes me, especially in the AI era, IG professionals, privacy pros, data protection authors, all of the above, they need to be in the room from the beginning. That's the first thing. Then I think we have a problem or a challenge that the technological developments are a challenge for people like me who come to this maybe with a background that isn't technology. I come to it with a social, regulatory, humanities background. I'm not a technical expert. So we need to learn as much as we can and keep learning. But this is a really important point that I've learned over many years. We need to learn to collaborate. Some of the best projects that I've worked on have been with brilliant tech people who are willing to listen and they're willing to explain. I can learn from them and they learn from me. There is no shame and it's not a sign of weakness that you're not an expert in everything. You know, what the world needs now, especially from IG people, is more collaboration, more diversity, not only of gender and ethnicity, but of experience, of specialism. And when all that comes together, when IG people are brought into that, genuinely that can be something very, very powerful. And what we bring as IG professionals, especially as I say, in this era of AI, is something to be proud about. Looking out for the human, the strong human-led values, the guardrails, we do that for a reason. And we understand how vulnerabilities risk being exploited. So all those things and more. And quite frankly, what a wonderful thing to do for a living. I'm very proud, and we should all be very proud because I see this as not something, you know, it's not a job that I do, it's something that I am. You know, there's no immediate and obvious divide between my personal ethics and my professional ethics. Uh, by the same token, just to wrap that point up, uh, we have seen data ethics have become some of the first jobs to go with some of the big tech companies. And that again is something that scares me because we need IG, we need data ethicists more than ever.

Ibrahim Hasan 29:21

Great advice. Any other skills that you think IG people need to develop in order to head and stay up to speed with AI deployment?

Emma Martins 29:31

Obviously, yeah, I can only talk from my personal perspective, but I kind of look back at the skills that I didn't have early days and how that really held me back and more importantly, held the organization back. And as I got older, as I got more experience, the things that I really look back and say that that they helped me to be better at what I did. There's a real sense of just curiosity about the world, but it's not data protection and privacy, it's not something set in stone. It's moving, it's fluid, and it and the world around us in this field is moving so fast. So just that interest, there's not a day that goes by without there being something in the news about big tech or data or data breach. So that continuous learning. And I don't mean sitting in a classroom necessarily. If sitting in a classroom is your thing, then great. But that continuous learning on the news, there's dramas, there's films about this, there's television series, there's books, there's all sorts of areas where you can go. And I know this comes back to the question of time, but just five, 10 minutes a day feeding that curiosity, I think is so, so valuable. We talked about collaboration. I just think that's that's absolutely key. And to sit in a silo, my first job as a DPR was very distanced from the core business. I was sort of down the corridor when it that it was quite difficult to get to. And that points to something about the organization. You need to live and you need to live and breathe it with the people that are making decisions. You need to become part of that team. Again, clarity of purpose. Find your why, find the reason that you're doing what you do. And that gives you so it just puts fire in my belly every day, knowing that I have such a clarity of purpose. Imagination and communication, all these things are very human. You can see I come at it from a human perspective, but I just think they add so much value to you as a professional. You can sit and you can do courses about learning the articles of the law. Yes, that's really, really important. But when we weave all those other skills, those other attributes, those other approaches to life into that pure legal knowledge, again, that can give you a not only does it make you a much better DPO or privacy pro, but it also allows you to really enjoy and get a lot out of your job and kind of fuels you on those days when it's a bit tougher. Because we all get those days, right?

Ibrahim Hasan 31:51

Absolutely. And as you mentioned, the continuous learning enables you understand why you're doing it, it drives you, puts fire in your belly, and it's one of the few areas where you can actually marry up your personal ethics, your personal passions, and make a difference in terms of society as well. So I agree it's a very exciting time to be in the world of uh data protection and information governance. Again, we're both of the age where we remember probably the data protection out 1984 and the days when data protection was very much in a silo and it was just one person dealing with the odd subject access requests, whereas now it cuts across so many different areas of the organization. So really exciting. I wish we could roll back the years in a way. Uh, you mentioned continuous learning and gave me another idea because you said that it wasn't just about attending courses or reading books. There's lots of dramas and films, etc. I think you should compile for us an Emma's watch list as well.

Emma Martins 32:56

I'm very up for that for him, and I've got a long list. So again, maybe not time now, but I'm very, very happy to share it because I think, again, it's more than entertainment. There are some really, really good. I I was only listening to one recently. There was a radio drama about AI, an AI takeover, very dystopic story. But so, so interesting. And if you're walking the dog or driving to work or on the train to work, you can listen to it. And it not only is it entertaining, but it will add something and give you something professionally as well. And that's just terrific when you can experience something like that.

Ibrahim Hasan 33:29

So listeners are going to be looking forward to Emma's reading list and Emma's watch and listen list as well. Just off the top of your head, which film would you really recommend?

Emma Martins 33:40

Do you know? That's a really, really difficult question. Um, recently there's a movie called uh what do you call it? It's not the right word, but um Docudrama. DocuDrama, that's the one, called Can't Look Away. And I feel particularly strongly about how children are experiencing the fifth industrial revolution and how history will judge us. And it it's a film uh about some of the real life consequences of addictive algorithms on social media or for young children, and it's very distressing, but uh I don't think we should look away at things like that because I think history will judge us and our children of all the groups in our society deserve our attention and our protection.

Ibrahim Hasan 34:26

Yes, and and we're recording on the day after the BAFTA awards, where adolescents won quite a few awards, and that's very much about the impact social media is having on the way uh boys that their attitudes towards women. So absolutely, I think it is very much about uh understanding the human impact of all this technology that's moving forward at such a rapid scale. Just moving on from there, Emma, I'd like to talk about uh the future of AI regulation. Of course, in the UK we don't have comprehensive AI regulation yet. Are we ever going to get it? The way politics is looking at the moment, you just can't tell. Do you think we need comprehensive AI legislation? And what would be the best way to regulate an area which is moving so quickly?

Emma Martins 35:15

Such a good question. Uh, so where are we now? Well, inevitably, because of the speed of change, and I know that that's spoken about a lot, but we are seeing just extraordinary speed of developments. And law, well, in democracies at least, it takes time, right? It takes time for them to draft, to consult on. So invariably and inevitably, law is playing catch-up. You know, we saw it's very, very recently that the UK government moved to outlaw AI deep fates because that was clearly becoming a problem. But again, how much harm was done before the legislation came in? And that that's problematic. And then we have the challenge of patchwork of rules across borders, which is very real for us all. So it's it's a very, very tricky one. And it's one of the reasons that I feel very strongly that that we can't just look to laws. I mean, we are as as human beings, we are more than laws, right? We are moral sentient beings. And I think that law they are important, of course they are. But I think we should also be acting because there is a moral imperative, not just a legal imperative. And I think if we only look to laws, we're in trouble. And it's so interesting you talk about adolescents, because I'm reminded of the post office horizon scandal, if you remember that, and how significant the TV series, wonderfully, if you haven't watched it, I recommend it. The TV series, which basically set out what had happened, the public suddenly sat up and went, really? We didn't know about that. And a lot of people have known this is going on, but a TV series was what punctured the social conscience on this. And I think that the this wider cultural values, social norms, all those things can be a really, really powerful force of change. So, yes, I think the laws, I don't know, the jury's kind of out for me on whether the UK approach is going to be effective. There's lots of regulatory overlap right now, I think. So, going back to our early point about collaboration, we're starting to see that with regulators, which is really important. It's not just a nice to have, it's critical. The reality for practitioners who having to work with this real patchwork of regulatory frameworks of different approaches, you know, across the globe. But even in the UK, you've got the duo, you've got Sexual Offenses Act, you've got online safety, children's well-being at all of those things. And going back to your point about the skills that professionals need, one of them is just to be alive to these changes and really open to learning and really nimble in responding. I just don't think we can afford to stick to our lanes anymore if we ever could. But again, now more than ever, we need to be looking around horizon scanning and responding to the very, very fast-paced change that we're seeing.

Ibrahim Hasan 38:11

And as you say, not just the technology is changing, but also the legislation is changing all the time, trying to keep up. And even then, there are gaps. So recently we covered in one of our podcasts, we covered the issue of filming people in public. You must have come across the stories recently of women being filmed whilst they're out on nights out, and then the footage being uploaded on YouTube and other social media channels. We analyzed legislation with one of our colleagues, Naomi, and we came to the conclusion that there are gaps which mean that women are left unprotected by the law. But here when they're out in public, so the law can't keep up with the way the technology is moving. A lot of people are using these smart glasses, so people don't even realize they're being filmed. So, law, I agree, in itself, is not the solution. It's about training people, it's about making them aware, it's about educating the public. So I think the films and the dramas have their place, don't they? You mentioned the drama with Alan Bates, who was instrumental in bringing the post office scandal to light. And that really caught the public's imagination, educated them, and the politicians decided that they needed to act. So I think there is very much a place for education. You mentioned divergence in terms of laws. So at the moment, we've got the UK GDPR, and then we've got the EU GDPR. It's interesting that the EU is considering amending the EU GDPR with the digital omnibus package. So we could end up with even more divergence. So that's going to lead to a challenge, particularly in organizations which are also working with European citizens' data that they're going to have two different regimes to deal with.

Emma Martins 40:01

Yeah, and this divergence from Europe. I mean, everyone has got their own views, of course, and very strongly held views often on this. Personally, I think it's a shame. And I think it makes it more difficult for us as practitioners to deliver. It makes it more challenging for businesses to work efficiently and easily across borders. And I think critically it makes it more difficult for citizens to exercise their rights. So I think in the round, we all lose. And I think that's a great shame, especially in area where we are talking about human rights, not just money in air quotes. I mean, it's important for the world to go around, of course. But when we're talking about something so fundamental, I think that creating more complexity, creating a patchwork, creating different regulators, I just think it adds layers of complexity, which doesn't deliver necessarily the outcomes that we need at this point in our history.

Ibrahim Hasan 40:54

Just reflecting on your role, former role of data protection commissioner in Guernsey, what should practitioners understand that the textbooks don't teach? What did you come across and you thought, I wish I could emphasize for practitioners?

Emma Martins 41:11

Well, just reflecting on my role back then, I was really fortunate to be in a position of being part of a truly exceptional team. We were able to really build a regulatory office from the ground up. And that gave us the really very special and rare actually opportunity to go back to basics, yet stuff that I've talked about a fair bit still already. Why are we here as a regulator? What are we doing? How are we going to do it? And what do we want to achieve? And those things all sound really, really simple and basic, I know. But I I think that we don't stop and think about these big questions enough. We sometimes just plow the same furrows that have been plowed previously. Now, that may not be a bad thing if you're inheriting something great, but it's it also may not be a direction of travel that that necessarily gets the best outcomes for the people you you are there to serve. And I and I know everyone says it, but the world, especially in data protection, is is changing so fast. Doing what we've always done may not work, right? But we're often so busy that we don't get that moment. So having that experience of really having no furrows to follow, if you like, was truly one of the most, I really do think that was one of the most interesting, rewarding, and enjoyable times of my career. But we knew that in a small community, if we could engage people, our community better with the why, we, you know, we translated that in individual knowledge of our why, we translated that across the community. Because the idea was then it will become a community endeavour, not simply a regulatory one. You know, where businesses understood the benefits of looking after their data, how it serves to build trust, to build reputation, and our citizens in that jurisdiction then felt empowered to stand up for their rights and exercise them. You know, that really does, in my view, have the potential to become a virtuous circle. And uh, you know, of course, we need enforcement, right? For those willfully disregarding or flouting the law. But my experience, and I've I've spent many years in regulation, the people who are in that camp, so sort of deliberately flouting, are vanishingly small. Most organizations that that I came across, most people in organizations, they want to do the right thing, but but they often just need help navigating what that looks like. And I think it's easy for us to forget, those of us that live and breathe, and in my case, love love this law, that for many people the legislation is a little bit unfathomable, right? So even the language, we don't talk about people, we talk about data subjects, about controllers and processes. None of this language is intuitive. It is for us, but it really isn't for everyone else. So I really saw it as incumbent upon us in that time. And I think it's incumbent upon all of us, but particularly working in regulation, to make doing the right thing as Easy and as clear as possible. It's very easy as a regulator to look at what you expect from the community, what you want them to do. But actually, what we took the time is say, what do we need to give to them in return? And that was a really powerful uh way of building an office from the ground up. And I think it really worked. And we had a very constructive relationship with the community, particularly the businesses in the community, the regulated community. And it was it was very rewarding and I hope a successful time in the history of that regulation for that jurisdiction.

Ibrahim Hasan 44:29

And I like the fact that you got buy-in not just from the businesses and organizations that have to comply with the legislation, but also from the community. And that really helps to raise the importance of this legislation and in a way will help to ensure that whatever governments we get in the future, people will be willing to say, because we want to keep these laws and they're important in terms of our human rights. You mentioned previously, Emma, the importance of diversity in the profession. And that's something that we're passionate about as well. We want to see new entries to the profession, people from different backgrounds, different ages, as you say, different ethnicities, different communities are affected in different ways by this legislation, but also by the technology that we've been talking about, particularly AI. We mentioned the grot controversy, the impact on women and young girls of that. What can we as an IG community do more to encourage a diverse set of practitioners?

Emma Martins 45:29

Well, it's such a good question. I I think if if you're an organization, I mean I kind of fell into data protection. I shouldn't be embarrassed to admit, really, should I? And I think it's quite a few of us, maybe of a certain age. But what we should do is be alive to those individuals that show a spark of interest. And it doesn't matter what their background is, they don't have to have a law degree. They don't have to have worked in certain industries or professions. But people that are interested in the human elements of this, that's kind of where I started. And so it's a really, really important point, I think this, particularly as we're seeing the emergence of AI in almost every walk of life, this sort of lack of diversity in decision makers, in rooms that where decisions are being made and where power is being exercised, is deeply worrying. And I've always said that unintended is not unforeseen, that we can foresee where this is going. Yeah. So for a business to say, well, I didn't intend it, is no longer going to cut it. So to be able to foresee something means you need the people in the room that have the capability, not just the intellectual or the legal training, but the emotional intelligence, the understanding of where this stuff could lead to if it's not managed properly. You need those people in the room. So I think it's income incumbent. I've given a message before, haven't I, to leaders who are listening, you might be listening. But look out for those people and nurture them and bring them into the fold and allow them into decision making. It doesn't matter who they are or where they're from, but allow them to contribute. And I think we just need to, it's a wonderful bubble working in the data protection community. And I've had a the most rewarding and wonderful career, and I wouldn't change it for the world, but we are in our own bubble. So opening that up. And that's why I love when we talk about TV dramas or films or documentaries, because that opens this subject up. This opens the topic up to everybody else. And quite frankly, we do need this to be a community endeavor. We cannot afford for this just to be something that sits at the door and the feet of data protection and privacy people. We need the community at large to take an interest because we may feel disempowered in the face of big tech, but we have much more power than we maybe think. And if we act collectively, that power can be harnessed for really good things and really positive change. I really do believe that.

Ibrahim Hasan 47:47

Absolutely. I would agree with you that we need to act collectively and encourage more people into the profession, show them that it's actually an interesting, a very interesting area they can really make an impact. And as you say, you don't have to have a law degree. In the first episode of this podcast, we had John Baines. He's done extremely well. He's chairman of NADPO. I'm a senior data protection specialist at one of the top law firms in the country, Mishkon Duraya. So yeah, it's about getting the message across. And your passion, I'm sure, is going to help very much encourage more people into the profession, Emma. What are you doing at the moment? Where can people see you or hear you more? Of course, we're going to be inviting you again to the Guardians of Data podcast because I've really enjoyed our conversation. But where else?

Emma Martins 48:36

For maybe for a book review or a film review, I'll be up for that. So I was asked the question because I've had a long career firstly as a data protection practitioner, then in regulation. And when I finished that fixed-term contract a couple of years ago, I'm a bit of a one-trick pony and I thought, oh gosh, I'm going to get lost with this. But I've ended up with like what I call I described to a friend recently as five part-time jobs. And she corrected me. She said, You have a portfolio. So like a portfolio sounds posher, right? So I have a number of different jobs. I'm the commissioner at the Data and Marketing Commission, so the regulatory arm of the Data and Marketing Association in the UK. I work as an advisor for a few firms. I'm very, very wedded to the third sector and public sector. So I do some work with those. And I'm a hospice trustee as well. So I feel very strongly about looking after people at the end of their life. So I just have the most wonderful professional. It doesn't feel and again, it's a risk sounding a cliche, but it doesn't feel like work because I'm so very privileged to do it and I and I love it.

Ibrahim Hasan 49:35

And you've given me two more ideas, Emma. A privacy film club and a privacy book club.

Emma Martins 49:41

Very up for that.

Ibrahim Hasan 49:43

Emma, it's been a fascinating conversation. Thank you very much for sharing your insights. And I'm sure we're going to have you back if you're happy to come back.

Emma Martins 49:52

I'd be delighted. It's genuinely, I mean, I love what I do. I know how lucky I am in that respect. And I never take it for granted. And it's a huge privilege to be here doing this and for you to be interested in what I have to say. It's it's very special and I'm very, very grateful. Thank you.

Ibrahim Hasan 50:07

I really enjoyed this conversation with Emma Martins. What really resonated with me was Emma's reminder that privacy and data protection are not about abstract legal exercises, they are fundamentally about protecting people, preserving trust, and safeguarding democratic values in a rapidly changing world. From the historical roots of data protection law to the ethical challenges posed by AI and surveillance technologies, Emma made a compelling case for why information governance professionals have never been more important or more needed. We will include Emma's recommended reading and watch list in the show's notes, so be sure to check those out. If you found today's discussion useful, please subscribe, share this podcast with colleagues, and leave us a review. And remember, whether you're a seasoned professional or just starting out in information governance, there's always more to learn. And we'll be here to help you stay ahead of the curve. Thank you for listening and join us next time on Guardians of Data.