An Introduction to Data Privacy and Data Protection for Developers With Sheila FitzPatrick (S6E14)

Updated on | Sign up for learn to code tips

If you want to work in tech or run your own business, chances are high that you’ll be working with data at some point. That means you need to know about data privacy.

Initiatives like Europe’s GDPR have brought issues of data privacy to the forefront. As more companies are collecting and using consumer data, transparency and accountability are important to govern how that information is being stored and used.

Sheila FitzPatrickSheila FitzPatrick’s entire world revolves around compliance with worldwide data privacy laws. Founder and president of FitzPatrick & Associates—a strategic global data privacy and protection compliance consulting firm—she is considered a leading expert in about 160 countries. She works with companies in all industries of all sizes and holds strategic seats on a variety of international councils, committees, and boards of directors. In short, when it comes to data privacy, it’s hard to find someone more knowledgeable and experienced than Sheila.

cone control data

In today’s episode, she talks specifically to developers/tech professionals, discussing the things they need to know to make sure that their work follows best practices for data privacy and collection. Listen below!

This episode was transcribed with the help of an AI transcription tool. Please forgive any typos.

Laurence Bradford 0:09
Hello, and welcome to another episode of the Learn to Code With Me podcast. I'm your host, Laurence Bradford, and today's episode is all about data privacy and protection. But first, a quick word about this episode's wonderful sponsors.

Laurence Bradford 0:27
Data Science and machine learning are the two fastest growing careers in tech. If you want to become a well rounded data scientist, Flatiron School's online data science immersive can get you there. Start learning for free with their data science bootcamp prep course at

Laurence Bradford 0:50
I just published a new website and I wanted a short, relevant insecure domain name for it. That's why I chose a dotTech domain. dotTech domains are perfect for all things tech, your portfolio, your passion project for your business. To get 90% off your dotTech domain, head on over to

Laurence Bradford 1:16
Hey listeners. In today's episode I talk with Sheila FitzPatrick. Sheila is the president and founder of a global data privacy and protection compliance consulting firm. She has over 30 years of experience in this field and is considered one of the world's leading experts in it. She works with the US government and the Council of the European Union and was named one of the 2019 data economy 50 most powerful women in the world. Now I know data privacy and protection aren't the most exciting topics for all of us. But this stuff is so important to know whether you're a developer or a small business owner or something in between. Hopefully, this conversation We'll go some way to helping you understand the basics so that you can be compliant with data privacy and protection guidelines and whatever you may do. In our conversation, Sheila explains the difference between data privacy and data protection, what small business owners and developers need to do to be compliant, and some further resources to check out, plus some of the most interesting issues in this area at the moment. Enjoy.

Laurence Bradford 2:30
Hey, Sheila, thank you so much for coming on the show.

Sheila FitzPatrick 2:32
It's my pleasure, Laurence, thank you for inviting me.

Laurence Bradford 2:35
Yes. I'm so excited to talk about these topics today that you specialize in, like data, privacy and things around that. But to get things going, I would love if you could tell us a bit about what you do.

Sheila FitzPatrick 2:47
Sure, I'm happy to so my entire life, my entire world revolves around compliance with worldwide data privacy laws. So my expertise is in about 160 countries and I work with companies in all industries of all sizes, to help them build very solid, very aggressive and exceptional data privacy compliance programs that will work regardless of where they operate in the world, and regardless of what industry they're in, and privacy is certainly my passion. Wow, that's really amazing and interesting. I'm so curious, how did you first get into this area, but it's kind of funny. I have been working in the global data privacy space for almost 40 years. Although I like to tell people I started at the age of five because now they start making start figuring out how old I am. And I was, I was very, very interested in way before anyone cared about it, and literally got into it because I started my career in global employment law, working with multinational companies on employee related issues, human resources, and obviously you can't operate in the employments Base globally, especially in Europe, if you don't understand that fundamental right to privacy and the aggressive privacy laws that we see in other jurisdictions around the world, and I literally fell in love with the privacy side, even though nobody really cared about it. And and it became a passion from there, just really, very, very concerned about individual's lack of understanding of what privacy rights they have. So it's definitely as I keep saying, turned into my passion.

Laurence Bradford 4:32
Yeah. And I would also love if you could talk about just like super basic definitions of some of these terms. You've already been mentioning, like, data security, data privacy, I think you said something earlier about how you will help create data privacy policies or protection for companies. Could you talk about what some of those things mean?

Sheila FitzPatrick 4:52
Sure, I'm happy to because there's really in the in the world today there's a definite misunderstanding of really privacy. versus security. And people tend to hear the word data protection, and they automatically think security. And they don't think about privacy. And the way I like to talk about it is, is privacy is really the legal and regulatory requirements or obligations that define what personal data you can have, what you can do with it, how long you can maintain it, who can see it, where it can be stored, whether it can be transferred outside of the country of origination. It's really all about that lawful basis for collecting and processing personal data. And security and data protection are really the controls that you put around that personal data to ensure that it's protected from unauthorized access in use, or from accidental loss and destruction. And you know, it's interesting, I talk to a lot of companies, I work with a lot of big multinational companies and small companies as well.

Sheila FitzPatrick 5:55
And the first thing I'll ask them is what is your data privacy program look like? And they meet At least start talking to me about their security profile and their encryption. They use the firewalls or the controls they built in place. And I literally say, well, that's great. And I'm very impressed. But that's not what I asked you. I asked you what your privacy program was. And and there's that fundamental lack of understanding of what the foundation of privacy is. And I love to use the analogy of if I go down the street, and I robbed the bank down the street, and I bring that money home and I put it in a vault in my house, and I lock up that vault. It's completely secure. It's in a room that no one can get to. And my sister Mike house has an alarm system so no one can get into the house. When the police come knocking on my door, they're not going to care that I have secured that money, because it's not my money to begin with. And people have to think and organizations have to think about privacy in the same way. If you haven't done your privacy due diligence if you haven't looked at the lawful basis for collecting and processing data. Then securing it doesn't do you any good because literally what you're doing is locking down data you're not legally allowed to have. So there's a fundamental difference between privacy and security, although people they're closely aligned. But I think people really do not understand what privacy means.

Laurence Bradford 7:17
Gotcha. So and I really like that analogy, by the way that I think that to me at least I made a lot of sense of like, what the difference of those two things are. What kind of data though? I don't even know I thought this may be a dumb question. But what kind of data are people or companies collecting? That could be like, quote unquote unlawful? Is it just really anything that the user isn't aware that they're collecting?

Sheila FitzPatrick 7:45
No, it's not and by the way, long as that's not a stupid question, by any means, because there's confusion around really what do you mean by personal data? And so to start with the basics, personal data is any piece of information that is identified To a natural person, or can identify a natural person either directly or indirectly. So that could be your name. That could be your social security number, your employee ID number, your driver's license number your bank information. But it can also be something as basic as your email address or your telephone number. It can be your IP address. And so, organizations and it doesn't mean that organizations are collecting data unlawfully. What it means is that organizations may not be completely transparent about the data they're collecting and what they're doing with that data. And the lawful basis comes in when you know What right did you have to collect that data? Did you define what data you need in order to manage the relationships you're trying to manage? or provide the services you're trying to provide or build the products you're trying to build?

Sheila FitzPatrick 8:55
It's all around transparency, what you must have versus what you'd like to have. So there's a need versus a nice to have, which is extremely important. And then there's another there's a subset of personal data that's even more critical. And that's what's called sensitive data or special categories of data. And that's very specifically things like health related information, political or religious affiliation, trade union membership, biometric or genetic data, sexual orientation, or sex life, and race and ethnicity. And that data is treated at an even more confidential, confidential way. And in some cases, companies aren't even allowed to collect that data. And so, you know, certainly organizations need data in order to run their businesses, but they need to be thoughtful and transparent about the use of that data and and really, that falls to the ethical use of data.

Laurence Bradford 9:58
Got it. So Some of those data types you're mentioning, like email address name, it seems, you know, or IP address country where they're located right, a lot of that they could easily get from just them using the computer and then entering their email address or what have you. But for some of those other things you're talking about, like the, you know, political, religious affiliation, health records, things like that. Would this be information that the company is gathering? Because the user is like, inputting it? Or is this something that they're that they actually be getting in any way without the user giving it to them? I know, that's maybe like a intense question to ask. But I'm just thinking when you're listing all that stuff, I'm like, I'm used to users and putting it on their website. I hope they know the company has it, right?

Sheila FitzPatrick 10:43
Well, and that goes back to the transparency around if individuals are asked to provide that information. It's really important, not only for the organization that is requesting it to be extremely upfront about why they need it and what they're doing with it. Also, it's important for the individual to question why that information is required and what they're going to be doing with it. So for instance, in the context of an employment relationship, employers need certain data personal data, in order to manage the employment relationship, they might have a contractual obligation with the individual in the terms of an employment agreement or employment contract. And that states very clearly, they're going to need obviously their name, their address, or telephone number, social security number or government issued ID depending on what country they're in. You need information on bank details in order to be able to pay them. They might need information on health related if there is a particular disability that the company has to allow for. So it again, it doesn't mean companies can't collect this information. It means they have to be thoughtful and open about why they're collecting it and what they're doing with it. So in most cases, The data will be provided by the individual. But there are cases where the data would not be provided directly by the individual but might be provided by a third party. And I'll stay with the analogy of an employment relationship.

Sheila FitzPatrick 12:13
Say for instance, your employer uses a third party for as a payroll provider, that information that needs to go to the payroll provider would not necessarily come directly from the employee, it will come from the the employer who's providing that information. And in that case, it's very important that the employer informs the employee of the third party providers that they use, and also to make sure that the employer has a data privacy agreement in place with the third party provider so that they understand what obligations they have in terms of treating that data in accordance with the applicable data privacy laws. If that makes sense.

Laurence Bradford 12:59
Yeah, yeah. I know there's probably a lot more there we could unpack. But I don't want to get into like too too much detail because a lot of people that listen to this show are folks that want to work in tech in some role maybe as a web developer, or in DevOps, or some want to work in cybersecurity or something like that. And then there's also folks that want to run their own business. So maybe they want to run their own, like freelance web development, small company, where they're building websites for business owners and all that. So I was wondering if you could talk a bit about like, how can like your quote, unquote, average Joe? know, what basic stuff do they need to know to make sure that whatever kind of work they're doing is quote unquote, best practice?

Sheila FitzPatrick 13:44
And that's a great question because oftentimes people think, well, if I'm, if I'm an individual contributor, I'm just a one person shop. I don't have to worry about these privacy laws. Now in some cases are exemptions where if you have less than 25 employees You really don't have to worry about it. But the fact of the matter is that any time that you are using personal data, whether you're collecting it, whether you're storing it in your, you know, your iPhone contact details, you just need to be aware of the fact that you do have someone's personal data in there and think about how would you want someone to treat your personal data if they had it. And it's really it goes back to what I said earlier, it's all about understanding that you should only be using that personal data for the purpose for which it was given to you. So if you're a web developer, and I engage you to build my website, you're going to need certain information about me your need to know my name, the name of my business where I operate.

Sheila FitzPatrick 14:45
You know, some of the services I provide contact details. And that's all personal data. It's not highly sensitive personal data, but I'm providing it to you to build a service on my behalf to build that website. on my behalf. And that means you have to be respectful of the fact that you have that data, you can't turn around and then sell that or share that with a third party, unless I've allowed you to do that. So you need to get my consent. But the fact that you have it, there's nothing wrong with that. But you should, again, only use it for the purpose of the services that you're providing. So I think that people that, you know, the average, you know, Joe Smith, who really has never concern themselves or really had an awareness around privacy. You know, it's pretty hard today to say that you've never heard about privacy, or, well, this is totally new, because we hear a lot about privacy, probably more. So we hear more about security and security breaches. But it's all around, you know, really as much as possible, trying to read up on privacy. Find a mentor who understands privacy laws and is willing to help you through it. You know, talk to your friends who work in companies that are have privacy officers and find out what they're doing. It's a matter of reaching out and networking to find out.

Laurence Bradford 16:08
Yeah, that makes a ton of sense. And I feel like especially in the last year or two, it's been something that maybe like as the end user, you don't realize what you're seeing. But I'm just thinking of websites like so many basically, all websites now have that little pop up, right? It's like we're collecting cookies or something. Something. Do you agree? Yes, no. And some I know that it may be a little more detailed than just collecting cookies. And I remember like, I think it was last year, you probably know better than me when the GDPR roll regulations being passed, and everyone was updating their privacy policy. So it was like from 100 companies, and it's like, we're updating your privacy policy and get like, all those emails.

Sheila FitzPatrick 16:50
That will tell you when when GDPR came out, and you know, GDPR is certainly it's still an issue. It's been enforced for a year now. But one of the things that really drove me crazy And people that know me know this is that, you know, as I mentioned, I've been doing this for almost 40 years. And, you know, when GDPR came out, it seemed like all of a sudden, all these companies and all these consultants and law firms overnight became experts on privacy laws. And I really had laughed because these were companies that never thought about privacy in the past ever. And so just updating their privacy policies certainly did not mean they were, they were adhering to their obligations under the new regulation. It just meant that they were out there trying to look like they were doing something. And so I think people really need to understand that privacy is not just about updating your policies, it's having the right practices and procedures in place to be able to operationalize those those policies and procedures. Now we're hearing a lot in California, the new consumer, the California consumer Privacy Act ccpa. All of a sudden, now everyone's talking about ccpa, almost like a GDPR all over again. And you see Companies jumping on the bandwagon. Because it's another big revenue generator. GDPR was a huge revenue generator, but it still doesn't mean people understand privacy. It's so I find a little ironic.

Laurence Bradford 18:14
Sit tight podcast listeners, we're taking a quick break to hear a word from our sponsors.

Laurence Bradford 18:20
How would you like to launch your career in what Harvard Business School calls the sexiest job of the 21st century? Data scientists and machine learning engineer jobs are the two fastest growing careers in all of tech. Since 2012. There's been a whopping 650% growth in data science jobs alone. Flatiron School's online data science immersive, teaches a tried and true data science curriculum designed to make sure you graduate as a well rounded data scientist. If you're looking to change careers, what better way than by learning from top instructors using real world tools and working with your very own career coach to get the job, sir skills you need to land the job. You can even take this course alongside your current work commitments, full time, part time or self paced. The choice is yours. Since 2012, Flatiron School has helped more than 3000 students watch new careers in tech become one of them by taking their free data science bootcamp prep course, just go to

Laurence Bradford 19:31
My team and I have just published a brand new ebook called 28 Ways to Earn A Side Income While Learning How to Code for this resource. We wanted to pick a domain name that was short, relevant and most importantly secure. We decided to go for a dotTech domain, We believe dottTech domains are perfect for all things tech. We found out some really big names also use dotTech domains including the Consumer Electronics Show at Intel's Internet of Things portal at and even tech thought leaders like Austin Evans, whether it's for your passion project, your startup or your portfolio, I recommend securing your dot tech domain ASAP. Learn to Code With Me listeners can get a limited time 90% discount on one and five year domains. Just head on over to and use the coupon code Learn to Code. I'd love to hear which domain you go for. Tweet me at Learn Code With Me to let me know.

Laurence Bradford 20:42
Yeah, that's really fun. Yeah, I remember back. So I was working full time still at a at a tech company, a small tech startup but nonetheless GDPR is still relevant. And I remember just like all the emails and stuff we would get from these GDPR experts and like webinars and training And yeah, so what do you mean revenue generator just for like the listeners, you mean people who are specializing in charging a lot to companies that wanted to become compliant?

Sheila FitzPatrick 21:08
That's exactly what I meant. And I had literally client coming back to me and saying, we just spent, you know, $10 million on this technology to make us GDPR compliant only to find out, it had no relevance to GDPR it because, again, nobody was talking about the foundation of privacy. And, you know, I always like to say tools and technology are extremely important. I mean, innovation is, you know, ongoing, it's our future. But you can't innovate at the expense of privacy, they have to work hand in hand. And what happened was a lot of these companies were out selling tools and technology to solve what is, in essence, a legal compliance issue. tools and technology are part of the ongoing journey, but they're never going to make you compliant with privacy laws. And so, oftentimes, I would sort of bet heads with some of these so called experts And say, Well, how could you go from being a security expert to all of a sudden being a privacy expert? They're very different.

Laurence Bradford 22:07
Yeah, yeah, totally. Um, yeah, there was something I was looking at the other day. That was, it was an online course that had to do with starting a website and blogging and things like that. And one of like, the bonuses like a selling point that came with it was like GDPR training, but it's like the person doing the training is I'm just like someone like me sort of like a, you know, a smaller business owner, like, I don't know. Like, I'm not, you know, like a law professional or a privacy professional. So yeah, it's it's interesting how many people are definitely talking about GDPR. And it's not maybe something they specialize in. But real quick in case there are any listeners that aren't familiar the GDPR is because most of our listeners do come from the US. I know that GDPR is an EU policy. Could you just like, just share what it is?

Sheila FitzPatrick 22:54
Sure, absolutely. So GDPR is the EU general data protection regulation. It went into full force on May of last year 2018. And why it's important is it's probably one of the most aggressive data privacy laws in that it is what's called extraterritorial. So even if you do not have operations in Europe, if you provide goods and services to an EU resident, if you have a website that collects data from EU residents, if you monitor the behavior of an EU resident, if you employ an EU resident, you are obligated to comply with with GDPR. And it's really all about putting control of data back into the hands of the individuals so that companies cannot just do whatever they want with the data. They have to conform to the regulations under GDPR.

Sheila FitzPatrick 23:49
I mean, we could have an entire seminar just on GDPR but I think people that know about it, are probably getting a little tired of hearing about it, although it's it's going to be an issue for a number of years and has been pretty substantial sanctions applied to it. So a blatant violation of GDPR can run a company 4% of its global annual turnover or revenue, or 20 million euro, whichever is higher. And we're already seeing some substantial sanctions for some of the big social media companies that, you know, tend to not take privacy as seriously as they say they do. And what's happening is GDPR is having what I like to call a ripple effect, in that other countries are implementing regulations equal to or in some cases exceeding what's required in the GDPR. Asia Pacific is one of the fastest growing regions and has some laws that are more restrictive than what we see in Europe, and certainly in the US. There's 26 states in the US right now that are implementing new privacy laws, and not in To GDPR, because in the US, they tend to exclude employee data. And there's a lot of exceptions to the rule. But we are seeing more laws around protecting consumer data. And one of the things I should add is GDPR applies to any personal data, not just consumers, it's any personal data that an organization would have.

Laurence Bradford 25:19
Awesome. Thank you so much for talking about that real quick. And I feel like anyone in the US who was probably working at a tech company of sorts are probably beyond that knows, but I feel there could be some job right? Like if you work in the service industry or something that maybe they aren't aware of what GDPR is, but I would love to hear from you. What are some of the interesting debates or issues in this area of data privacy or even maybe cybersecurity or security right now?

Sheila FitzPatrick 25:52
So a couple things. Just going back to what I had said initially, one of the biggest concerns in the market today is That total lack of understanding of what privacy really means. And that confusion between privacy and security and all they, although they are aligned, you have to build your privacy foundation before you can think about really securing your environment. But I think if we talk specifically about cyber security, there's a lot of confusion around what really constitutes, you know, and we're portable cyber attack. And really, I kind of laugh because when you talk about cybersecurity, it's just sort of an updated name to what's called a security intrusion. It's just that net. We're now in the digital age. So we've added cyber to it. But, you know, data security and privacy or security violations have been around forever, as long as we've had technology. And the concerns are really around, you know, what constitutes a cyber attack. You know, when do you have to report that you've had an intrusion into your environment, and depending on the jurisdiction, there's different reasons vironment some laws say if you if the data that's been in, there's been intrusion in your environment, if the data that's impacted could lead to substantial harm to the individual, you would have to report it. Well, what really constitutes substantial harm? I mean, and that's sort of an ambiguous term. One company might think substantial harm is is pretty minimal other company might think substantial harm is releasing your email address.

Sheila FitzPatrick 27:29
And substantial harm really is all about is the data that was impacted. Could it lead to harm to the individual such as financial data, obviously, someone got ahold of your bank account information that could have detrimental effects, medical information, nobody wants their medical information released to someone who's not authorized to have it. So there's some categories of data that would be much more sensitive. Things like sexual orientation or ethnicity where it could result Alton, in any kind of, you know prejudicial decisions or discrimination, those are certainly concerns. But we also see the other concern is that there's different laws. So in Europe and Asia, their data breach notification laws are much more restrictive than than what we see in the US. Although we are seeing a tremendous growth in the US. 49 states in the US do have breach regulations. But they're all very different. So if you have a data breach in California, the reporting requirements may be different than if you had one in New York. And so we really, in the US need to get our arms around some consistency around what constitutes a cyber attack a data breach, what should be reported, who should it be reported to what are some of the sanctions, what should remediation be? You know, it does it. I do get a little concerned. I was impacted by a number of the major Data breaches or cyber attacks we've had in the US in the last two years. And the remediation plan was a year of credit monitoring. Well, what good does that do me, just to monitor my credit if someone already has my data, so I think the meat behind enforcement needs to definitely be enhanced, and there needs to be much more aggressive enforcement action so that companies take these breachesmuch more seriously.

Laurence Bradford 29:25
I mean, this is so interesting. And you're like I didn't, like I, I was aware of when you said the word before, like if you get like, there's a data breach like the, the there's like certain laws around alerting your users or whoever the data was, you know, what, what, who's ever data was popular, possibly compromised, but I didn't realize that it differed from state to state in the US.

Sheila FitzPatrick 29:51
Absolutely differs from state to state and you know, in and certainly from country to country. In some jurisdictions, you have to report potential. breaches even though you haven't verified there has been an actual breach. In some countries, you have to report the breach, but it's within a reasonable amount of time. While some companies interpret that to be two years, some companies interpret that to be two weeks, what is reasonable time mean? So just the ambiguity along the lines of the the data breach laws, makes it very difficult and very confusion confusing for companies and individuals to comply with.

Laurence Bradford 30:29
Yeah, that's a really good point. And I'm just thinking of, you know, I'm sure everyone's gotten those emails that you know, your data may have been compromised sort of thing. And sometimes it's, you know, just your name and email, but could be more other times and then what's it called? And then and then yeah, they'll say, Oh, the hat the attack happened. It'll be like three months ago. And then they're emailing about three months later, and I'm like, Oh, what? Exactly, yeah, and I mean, I do at the same time, understand, maybe for some companies, you need some time to like address the issue or shut it down or what fix it and then figure out how they're going to respond. But yes, some of this like three months or something, it feels like a very long time to wait to tell people.

Sheila FitzPatrick 31:10
I have even been three years. I mean, I would think within three years, they would have known about this.

Laurence Bradford 31:15
Yeah, that's yeah, that's pretty. That's pretty wild. Um, so I want to Okay, so we have a little bit more time. So I did want to ask, he says this is an interesting topic. So and I don't want to go too far down this by flick. There's so much in the news and just just about like the data that advertisers collect, and I know this is different from like, if you're on someone's website, and you input like your name and your email and your password, I'm talking about like the ads that we're getting on like Facebook or Instagram and like the retargeting because you were mentioning how the collecting of like religious affiliation, political to the sensitive data, but I see ads all the time where I'm like, they must To know, my age, they must know I'm a woman they must know like they are. Or they must know like certain information about me where I'm getting these ads like what it how does that sort of tie in? I know it's probably a huge area that could be a whole episode in itself.

Sheila FitzPatrick 32:14
It was area and it could be its own topic. But you know, really briefly, it's where organizations sell space and to to advertising companies where they allow them to drop ads into their websites. And this is all through the use of cookies and clear gifts and other technologies that allow organizations to collect data through the information that people are searching online. So if I go into a website and I and I'm searching something on the internet, there's behind the scenes the technology is capturing types of websites, I go to types of information, I'm I'm looking at like there's a There's a brand of clothing that that I love. There's, there's, and you probably know it being in New York, but there's a company called theory and I love their clothes, and all be on, you know, a website that has absolutely nothing to do with theory and all of a sudden, I'll get this pop up ad for their clothes and all and I'll look at and go, Well, that was a dress I just bought last week how did they know that?

Sheila FitzPatrick 33:23
And it doesn't mean necessarily that there has done anything wrong but it means that the information about my search patterns has been collected and distributed to various companies that know that I like this brand. So maybe, you know, this big department store knows I like theory and they'll all of a sudden drop an ad down into my my website and, and it's all happening behind the scenes. Now that's an area right now, that is under tremendous scrutiny, especially from EU regulators. And that's why what's coming up and we're going to hear a lot about in 2021 maybe 2020 is what's called the Privacy Act. And that's going to be dealing with these unsolicited ads that people are getting the use of cookies where people were organizations are tracking your location, they can string different pieces of information together from different websites to be able to identify you, without your knowledge. And so this is a huge area of concern from a privacy perspective.

Laurence Bradford 34:27
Thank you for talking about that real quick. And we'll have to keep an eye on that the Privacy Act. So if there is anyone listening that's really interested in these areas like of data protection, privacy and whatnot, are there any resources that you could recommend that they turn to to learn more about it?

Sheila FitzPatrick 34:46
Well, there's certainly you know, the EU website, it's always a good one because they do put information out there about about the laws. It's the EU Commission website, also, California or any states. You can go on and Google, US privacy laws that will take tell you a lot about it. And you see webinars that come out. There's there's companies that that put conferences on about it, you know, to be honest, because privacy even though, you know, I keep saying I've been doing it for so long, it is still fairly new. I mean, we hear more about security, and there's a lot of security webinars and seminars and conferences, and we're not seeing as much about privacy. There's certainly the International Association of privacy professionals, IPP. They give a very, sort of high level overview and they run conferences, and they there's good information there as well. That's about it for in terms of, you know, places that you can go to find information.

Laurence Bradford 35:42
Well, thank you so much for sharing that and I was going to add, um, I do see lots of online courses or a fair amount for cybersecurity and related topics, but yeah, now that you were just mentioning that I don't know if I've ever seen any for data protection or data privacy, but I don't know if I've ever really gone out and looked for them. So Yeah, but maybe in the future, that's something that more. I'm thinking like, you know, the online course providers like plural site, LinkedIn learning, and all those other like bigger companies that are putting out lots of online online courses. Maybe they'll cover that more in the future.

Sheila FitzPatrick 36:15
I think that's something they're definitely interested in looking at. And it's really finding the right people that have the expertise to provide that content. And that's certainly something that I like to do with companies is to provide that content for them.

Laurence Bradford 36:27
Yeah. Awesome. Well, thank you so much, Sheila, again, for coming on the show. I learned a lot today. Where can people find you online?

Sheila FitzPatrick 36:33
They can absolutely find me I am on LinkedIn. And so feel free to reach out and connect with me there. I do publish articles and I do respond when people send questions. And also I am on Twitter and my handle is @SheilaFitzP. P as in Paul, and I do again, tweet a lot about the privacy subjects and sort of relevant topics today, you'll find that I'm very brutally honest in a lot of my opinions that are out there on LinkedIn and Twitter.

Laurence Bradford 37:08
Thank you so much and have a great rest of the day.

Sheila FitzPatrick 37:10
Thank you. I really appreciate this and you have a great day as well.

Laurence Bradford 37:19
Thanks for listening. If you want a recap of this episode, you can find the show notes at From there you can browse through recent episodes or find old favorites using the search icon in the upper right corner. If you enjoyed this episode, you can subscribe to my show on whichever podcast player you use. For more free tech related resources, tips and recommendations, visit my website and blog at Tune in again next week for a new episode of the Learn to Code With Me podcast. See you then.

Key takeaways:

  • In the world today, there’s a definite misunderstanding of privacy versus security. People tend to hear the word “data protection” and they automatically think security, but it’s really more about privacy.
  • Basically, privacy means the legal and regulatory requirements that define what personal data you can have, what you can do with it, how long you can maintain it, who can see it, where it can be stored, and whether it can be transferred outside of the country of origination.
  • Personal data is any piece of information that is identifiable to a natural person, or can identify a natural person, either directly or indirectly. That could be your name, social security number, employee ID number, driver’s licence number, bank information, etc., but it can also be something as basic as your email address, telephone number, or IP address.
  • Data privacy doesn’t mean you shouldn’t collect any data, just that you need to be very clear about why you’re asking for it and what you’re going to be using it for. Transparency matters!
 data protection

Links and mentions from the episode:

Disclosure: I’m a proud affiliate for some of the resources mentioned below. If you buy a product through my links on this page, I may get a small commission for referring you. Thanks!

Where to listen to the podcast

You can listen to the Learn to Code With Me podcast on the following platforms:

  1. iTunes
  2. Overcast
  3. Stitcher
  4. Spotify

If you have a few extra minutes, please rate and review the show in iTunes. Ratings and reviews are extremely helpful when it comes to the ranking of the show. I would really, really appreciate it!

Special thanks to this episode’s sponsors

Flatiron School: Flatiron School’s Online Data Science Immersive can help you become a data scientist. Start learning for free with their Data Science Bootcamp Prep course at

dotTech Domains: dotTECH domains are perfect for all things tech – your portfolio, your passion project, or your business. To get 90% off your dotTECH domain, head to and use the coupon code Learntocode.