In this inaugural episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan introduce VeraSafe's new podcast focused on making privacy compliance practical and accessible. Together, they:

Kellie du Preez is a privacy compliance leader and former litigation attorney who transitioned from defending banks in Boston to focusing on global privacy compliance. With experience as both an IP litigator and privacy professional, she brings a unique perspective on balancing practical business needs with regulatory requirements. As a Data Protection Officer and privacy consultant at VeraSafe, Kellie helps organizations navigate complex privacy challenges with a focus on creating workable, cost-effective solutions.

Danie Strachan is a privacy professional who began his career in South African legal practice, where he developed deep experience in data protection law during the implementation of South Africa's Protection of Personal Information Act (POPIA). As a senior privacy counsel at VeraSafe, he specializes in helping organizations understand and implement privacy requirements across multiple jurisdictions, including the EU. Danie brings valuable insight into the evolution of privacy regulations and practical approaches to compliance.

Privacy professionals must take a more active role in understanding their complete data processing ecosystem. Recent EDPB guidance emphasizes that organizations can't simply delegate responsibility to processors - they need detailed knowledge of all subprocessors and their security measures. This includes knowing where data is hosted, what security measures are in place, and maintaining proper documentation of the entire processing chain. For DPOs and privacy leads, this means implementing robust vendor management processes, maintaining detailed data maps, and regularly reviewing subprocessor arrangements. This increased oversight requirement may require updating data processing agreements and implementing new monitoring systems.

Privacy compliance requires moving beyond surface-level documentation to meaningful implementation. Organizations often focus too heavily on having privacy notices and policies while neglecting the actual operational aspects of privacy compliance. Privacy professionals need to dive deep into understanding actual data flows, processing activities, and technical implementations. This includes regular audits of data collection practices, storage durations, and processing purposes. The key is connecting written policies to practical implementation through technical controls and operational procedures.

With the February 2025 deadline here for prohibited AI systems, privacy professionals need to conduct comprehensive AI audits within their organizations. This includes identifying all AI systems in use, evaluating them against the EU AI Act's risk categories, and developing plans to address any systems that are prohibited. Privacy teams should focus particularly on workplace monitoring systems, automated decision-making tools, and any AI systems that could affect individual rights. Creating an AI inventory and risk assessment framework should be an immediate priority.

Privacy professionals must establish processes to evaluate AI capabilities being introduced through existing vendor relationships. Many vendors are rolling out AI features without explicit notification, creating compliance risks. Privacy teams should implement specific AI review procedures as part of vendor management, require vendors to provide detailed information about AI features, and establish clear internal protocols for when teams need to involve privacy review of new AI capabilities. This requires ongoing communication with business units and regular vendor technology reviews.