THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to season two of THEOS Cybernova with me, Paul Jackson. Today I have a very special guest. We’re coming live from the CIO summit, the Chief Information Officer Summit, in the heart of Mongkok in Hong Kong.

Sunny Hong Kong today. It’s a beautiful day here as we look out of the window, and we’re gearing up for what is going to be a pretty amazing conference run by our friends at the Market Intelligence Group. Paul Szeto, Jocelyn Chung and the team do a great job of running these events, and we’re pleased to be here today.

So, the topic I have today for you is a fascinating one. So I’m here today with Carolyn Bigg. And Carolyn is a Global Co-chair of the Data Privacy and Cybersecurity Practice at DLA Piper Law Firm. Now, it’s a real pleasure to have you here with me today, Carolyn. And an honour. Thank you so much for joining me today.

Carolyn Bigg: Thanks, Paul. It’s great to be here.

Paul Jackson: So, Carolyn, I saw you present at a similar conference organised by MIG, a couple of months ago, and you presented on the data transfer issues between China and, well, anywhere, the legal issues or complexities of managing data in China, which is, as you know, a big elephant in the room for many of us working here in Asia.

And I have never seen a bunch of CISOs in the audience scribble so many notes as they did during your amazing presentation. It was full of such valuable insights. And, you know, I think I speak for everybody that the session today is going to be extremely enlightening.

Carolyn Bigg: Thanks, Paul. It’s very kind. And what’s interesting is we did that session a few months ago. And we were talking about navigating China’s data regulations in 2025. And a few months later, we have even more to talk about, because that’s the way with China. The regulatory framework changes almost weekly at times.

Paul Jackson: I agree.  And, you know, what triggered this conversation today was that I picked up on a recent, what? Just the other day, you posted on LinkedIn about, you know, updates again, because it’s constantly changing, isn’t it?

And, you know, it was a fascinating update that you gave on LinkedIn and certainly very pertinent to my role.

Carolyn Bigg: Thank you. So first, in November, it is going to be a key date for everyone who has data in or from China. There are three big updates coming on the 1st of November, one to do with actually helpfully classification of sensitive personal data, which is a topic all to itself in China, completely different to the rest of the world. Which is sensitive?

We have another update coming about, classification of important data, which is a non-personal data, data category. And we’re seeing around the world in the EU, but China is probably leading the way regulating other types of data, not just personal data PII. And then the third update coming, which is one I think we’re going to talk about more, is notifying breaches in China.

There’s been some really interesting developments. We have some new measures coming into play, which give some clarification. But we’ve also had some recent cases that show there are, it’s not just a case of saying we need to, we need to notify. Let’s notify. It’s a question of looking at your overall governance program and potentially notifying immediately.

Might open more of a can of worms for you than not. So it’s an interesting conundrum and lots to talk about.

Paul Jackson: It’s fascinating. And I’m going to kick off with a very personal question because, as you know, THEOS Cyber, we’re involved in, you know, incident response. We’re involved in testing cybersecurity, the ethical hackers. And we often get asked, Can you work in China? And we do from time to time. But it’s to me, it’s a little bit of a grey area of what we can and cannot do, because a lot of the work we do in incident response is remote. You know, we use cloud-based tools and we, but essentially we’re going into China and we are potentially looking at, well, information data.

Right. So let’s start with the incident response side of things. And what kind of advice would you give to companies like ours? You know, when we’re planning ahead for, you know, maybe responding to an incident to China and we are outside China.

Carolyn Bigg: So, planning ahead is what you’ve hit the nail on the head. It’s absolutely critical. There are two really key themes that you need to keep in mind when it comes to China data, and it all basically sums up, and you need to know your data, you need to have mapped your data out, classified it against the different types of data that you have in China.

And if you know that, that will get you a long way in understanding what you can and can’t do. The two themes are: to seize consent, and cross-border data transfers. Consent is critical. So if you talk about data in China, personal data, if you’re coming to this from an Asia or a China perspective, data is defined and thought of very differently to other parts of the world.

So in Europe, data privacy or data is a fundamental right to privacy to a private life. That’s not the case in America. A lot of the American data laws are coming at it from a fear of social media platforms. Hence their focus on adtech. AdTech, it’s not that privacy, right? It’s a different way of thinking about data.

And in China and in Asia, it’s different. Again, it’s a an asset. Data is an asset. And the reason for focusing on that is because people will more readily share their data, in Asia in return for something, whether it’s convenience or hyper personalization or candidly, even for something to be cheaper. But because of that way of thinking about data, consent is critical.

It really comes down to a choice a black and white. Have you consented to your data being used? And that is particularly critical when it comes to data crossing the border. And remote access is data transfer from a Chinese perspective. So it’s not a case of physically moving data from one server to another across geographical lines. It’s a remote access. It’s a transfer of personal data. And in China, you need separate consent from that, from the individual. If we’re talking about personal data. So you have a general consent to processing personal data. And you need to separate tick box or click. I’m consenting to my data effectively leaving mainland China and other tick boxes as well. So that’s the first thing, I would make sure that your privacy notice covers adequately that data may leave, that you may be processing data outside of China for, with service providers, for investigation purposes, for incident response purposes and get that consent that gets you a long way.

Paul Jackson:  Unfortunately, a lot of the companies we deal with don’t have that foresight. No, I know, of course, we’d urge them to contact you and daily to get that foresight.

But the odds are that we get suddenly an emergency from a client who has operations in China. And maybe an incident has occurred on their systems in China, and they don’t have this pre-prepared. And it says, so what are our options as a company to actually, you know, immediately because it’s got to be fast, immediately leap. And, you know, it’s in the best interest of the company and in cybersecurity as a whole, right?

Carolyn Bigg: So it’s difficult. In China, we don’t have some of these exemptions you might see in other countries in other jurisdictions. So there isn’t an automatic right in the lack of consent to be able to go and get that data and, and remote access it from outside of China.

So it may be you have to get on a plane, which is fine. But as you say, it takes time, and cost money. And in an incident mode, when your all hands on deck as quickly as possible that, it slows things down. So that’s why I think everyone listening. Please plan ahead, know what data you’ve got, and get those consents for personal data.

There are other categories of data there in China, as I mentioned earlier, that are regulated. So we have categories like important data, and state secrets. And some data regulated by industry regulators. And for many of those, for certain types of personal data, you have to have taken some additional steps for the data to, to leave China.

In some cases, you have to go and get regulatory approval, usually from the CAC, but sometimes from your industry regulator. And for a small subset of data, a small subset of data, that data can’t leave China at all. So that is comes back to my original point of you have to know your data.

Paul Jackson: And I think, you know, obviously we get involved in a lot of crisis preparedness planning and very few companies are actually thinking of these kind of things and have operations in China, obviously.  But, you know, it’s such an important element because there’s so much to consider, and you don’t want to be doing that during a crisis.

Carolyn Bigg: You really don’t. And if you’ve got an incident involving personal data, coming onto my second set of cross-border data transfers, you have to have done this assessment upfront as to the volume of data that you’ve got leaving China in a year. If it hits certain volume thresholds, you may need to be signing some standard contractual clauses and filing them with the regulator.

Or you may need to go and get approval because you’ve got a large volume of data each year leaving, mainland China or being remote access from outside of China. There are some really helpful exemptions that came into force. And they have put some exemptions around certain categories of data needing to go through either this filing or approval.

So certain lower volumes of data, helpfully higher data, is largely out to scope data that’s crossing to fulfill cross-border contracts is out of scope. So, we could talk for hours about the intricacies of it. But really, the point is, don’t assume that in an incident because it’s an emergency, the Chinese law allows that data to leave.

That doesn’t necessarily mean you don’t take a risk based decision. Actually, we have to temporarily while we fly people in. But what it does lead onto is then if you do have to notify or you do face an investigation, you’re not just going to be tackled about how you manage that incident, you’re going to be questioned about why have you not got the right consents in place, done your assessments about cross-border transfers, made a filing, don’t got the approval. And now with large, those processing large volumes of personal data, registering your DPO.

And so what may become a small investigation into a relatively containable incident suddenly escalates into an investigation into, your entire governance program in China. And actually, there’s been, there’s been a couple of cases recently. With multinationals facing exactly that and facing fines.

Paul Jackson: And could you talk a little bit about that?

Carolyn Bigg: Not really. But it’s been really interesting to see. We’ve been saying this for a long time. And, and what’s been really interesting is seeing the regulators, support what we’ve been saying, that actually that preparation part is key. And it goes on to then that decision about whether to notify and when as well.

Paul Jackson: Yeah. And so the old cliché, an ounce of prevention. Right. Yeah. Similarly, we also conduct a lot of penetration testing and red team, ethical hacking-type work. And we often get asked to test systems in China. Now, this is obviously not such a crisis-driven thing. So we can prepare and plan.

But again, is it just similar guidance? Because when you’re testing, you’re really, well, you shouldn’t really be taking any data out. You know, it’s more, you know, testing the applications, the systems that are in existence in China. Is there any issues with that Do you see?

Carolyn Bigg: The same issues about where you are accessing the data from, whether you’re allowed to, whether it’s an ethical preparedness hacking or it’s a real life threat actor that the situation’s the same. I think it’s incredibly sensible to be doing all of what you’re saying. And in preparation, what I would just add, also in China, just to complicate things even more, is that there are literally hundreds of technical standards around cybersecurity. It’s a very heavily regulated area, and I’m a humble lawyer, so I’m not technical.

So I’m not on top of hundreds and hundreds of technical standards, from TCT 60. But there are lots.  And just saying you have compliance with this to ISO 27001 will only get you so far when it comes to China. So, yes. I think the other thing to bear in mind in China when it comes to that preparation, is making sure you’re testing against the local standards, and not just international standards as well.

Paul Jackson: Right . Now. One thing I’m curious about, because quite obviously you’re very British, just like myself. And the Chinese laws are obviously published first and foremost in Chinese, although the course they do publish them in English as well. Now, how do you navigate this? Because I’m sure there are nuances between the Chinese language versions and the published English versions, because law is a complicated beast.

I mean, I know from being a former police officer how complicated and how nuanced and how grey sometimes law can be. So how do you navigate that side? Because I’m sure there must be slight differences or nuances between the Chinese versions of the laws and the English. 

Carolyn Bigg: There are. And really, with hindsight, my French and German A-level have ended up completely useless living in Hong Kong for nearly 17 years, and I have CSU all but no Mandarin.

I have, an amazing team. My team, across greater China who, actually looking at that nuance and I think that’s really important, an English translation of Chinese characters is not going to get you there, particularly if you’re looking at that law with a common law or a Western Civil Code mindset. You  start trying to read things into it that just aren’t there.

The other complication is that Chinese laws, the actual law themselves, are very high level, very, very high level. So the detail of what you need to do to comply, how to comply may not come for weeks, months or even years afterwards. And it comes quite piecemeal. So you had mentioned earlier, there’s an update in the last few days about breach notification.

These laws are not changing the law they’re adding to. And so I’d really encourage those who think an English translation of a law, even if it may have been published officially by, the CAC or the Chinese government, is, is the be all and end all. It really isn’t. The reality of what’s happening in China is not just the law itself.

It’s all of the guidelines measures underneath it. It’s getting the view on the ground of what not just the national level central CAC are thinking, but the provincial level CAC in wherever your base. So whether Shanghai, Pudong or Beijing or Gwangju. And they can have different views about some of these things as well. And you also have to look at it as a matter of policy.

We all know that data and cyber law is fundamentally driven by policy and trade and geopolitics. And so much of navigating China’s data and cyber regulations, you have to keep that front of mind as well.

Paul Jackson: Got it. Yeah. And I’m not sure we should delve too deeply into geopolitics. 

Carolyn Bigg: It will change by tomorrow.

Paul Jackson: You know, that’s very true. But yeah, I mean, look, I, whenever I try to read the Chinese security, cybersecurity laws, etc., my eyes just start to cross, and it’s extremely wordy and complicated.

Carolyn Bigg: And the framework is complicated. We’ve got the cybersecurity law, the data security law, and the personal information protection law. But then underneath that, we have so many guidelines and measures and standards, and we can’t forget about things like, archiving laws, and e-commerce laws, and consumer protection laws, and, criminal laws.

And I could go on and on and on. There were so many different laws we have to think about. And I would always say, don’t ask what the law is. Ask what the compliance obligations are,

Paul Jackson: So before we go on to talk a little bit about what you’re going to be presenting today, a spoiler for anybody who’s attending today.

But also it’s great for those who are unable to attend today and hear you in person. But you describe yourself as a humble lawyer. I would describe you as a rockstar in this world.

Carolyn Bigg: Thank you.

Paul Jackson: Yeah. But how did you get into this? Because you’re not technical by background, are you? And, I mean, tell us a little bit what made you come to Hong Kong in the first place? And, you know, how did you get into the cyber side of things?

Carolyn Bigg: Well, I’ve been a, I qualified as a lawyer. Gosh, a very long time ago now. But I started my training contract as a lawyer in London on the 911, which means that every year it comes around and I, you know, reflect on many things.

Being the 911. But I do reflect on that. Was it outside my training contract and started becoming a lawyer. And I trained at a firm in London. And one of the lawyers at the firm was the guru on data protection law at the time. The old, shout out Peter Kerry, who I’m still in touch with, and he was the rock star in UK data protection at the time. 

And as a result, the firm I was work working for at the time and training with, we’re doing some of the first big data protection cases in the UK, and I joke and look back now and think I was lucky at that time as I was, you know, after a few years asked to speak about data protection, I was lucky to get five minutes at the end of a three hour client training session.

No one really cared. But I cared, and I was interested, and I worked with some of the partners there to set up microsites. And one of the one of the cases that the firm was doing was the, if you’re of a certain age and British, the infamous case involving Catherine Zeta-Jones and Michael Douglas’s wedding photos.

Paul Jackson: Oh, yes.

Carolyn Bigg: And, certain popular magazines who should or should not have published the photos. And there was a very small data protection element of that case. And that’s really how I got there. It was the.com bust, having had the.com boom. And so from a very early age as a lawyer, I was looking at, e-commerce online, what was happening online and attitudes to data changing.

And so I moved to Hong Kong in early 2009. We moved over here, then, to join a different firm. And I have been so fortunate to be in this part of the world where, as one of my colleagues says, all the cool stuff happens. And data protection law, even in 2009, in Asia was small. Maybe a handful of countries had data protection laws, but for various reasons, pretty much every jurisdiction in Asia now has data protection laws.

And China’s been a continued focus because it’s China. It’s, you know, such a large economy, such an important market for many multinationals. Now with its biggest companies going global. So that’s  how I’m here, and I’m just so grateful. Who would have thought 22 years ago that I could have a practice focused entirely on data and cyber? So incredible fortunate.

Paul Jackson: And a global co-chair.

Carolyn Bigg: And be a global co-chair. But I do think I did a history degree. I was always very focused on international relations, and I do think that policy trade aspect of driving data laws is what keeps me really interested.

Paul Jackson: That’s fascinating. So you talk to you. I just want to touch quickly on the data privacy laws because we are here in Hong Kong and it’s always a pet topic of like this.

Because, you know, when I was a cop back in the day, around 1995, in that time, I was in charge of a unit that had to deal with the new mobile phone operators that were all given licenses in around 1995. And data privacy law just came in. So we  had to negotiate with the companies how to get information from them related to intelligence, police work.

Right? And the law hasn’t really changed since then, has it? You know, it’s not much. There’s been a few amendments, but we now have a probably the one of the longest standing data privacy laws, but one of the weakest in terms of been you know,

Carolyn Bigg: it’s definitely it’s definitely the oldest and the least if least it hasn’t evolved and developed as much as other laws have.

So some of the.. I describe it as a very straightforward data protection law. It really does follow the old EU directive. The old UK act, which as we know has evolved into GDPR, and even countries like Malaysia, Taiwan and Japan that had old, quite straightforward data protection laws. There’s been a greater evolution of their laws than in Hong Kong.

But Hong Kong is a business friendly jurisdiction and what I would say is that data protection laws in Asia may some of some of the new laws may look like GDPR, but the reality is how they’re enforced, how they’re interpreted, how they’re applied  is not, it is not GDPR. They are much more straightforward and streamlined. And it goes back to the point I was making earlier that data is an asset.

And the laws in Asia, including in Hong Kong, are to stop the worst abuse of data. They’re not to stop the use of data, to stop the abuse of data. And that reflects the  very commercial business-focused mindset of Asia. So I wouldn’t say they are, not as good as I would just say they are different and they reflect their markets.

Paul Jackson: I think you touched on an important point, which is enforcement. You know, as an ex-cop, I’d love to see these enforced more because honestly, there’s not much impetus for companies here to be, you know, to invest heavily in cybersecurity because the penalties, the penalties, just all happening, you know, the stick isn’t there. Yeah.

Carolyn Bigg: That’s true, that’s true.

But actually, the consequences are different. The consequences are. Yeah. Perhaps not the big fines that the mega fines that hit the news when you hear about them from the UK or Europe, and they’re not the class actions that we’re hearing about coming from the US and now Australia. The risks are different. The risks are operational, contractual and actually economic and strategic. I would always say that data and cyber is primarily an operational resiliency issue. It’s not a compliance issue. The fact that businesses nowadays are so fundamentally reliant on data and IT systems, a cyber it’s an existential threat to some businesses and we have many examples of that. So in Asia, the risk is, is that the risk is also if you don’t get data in cyber right, you can’t use that data, that incredibly valuable asset that you have, in the way that you could to strategically or even commercially, bottom line, grow your business.

It all comes with planning. If you set up your data governance framework correctly, making sure you’re within the confines of the legal frameworks you’re operating. But what you can do within those legal frameworks in Asia is, is more than you could in, say, Europe. So, not having a proper data governance program, not having the correct cybersecurity, may stop you from using data for AI or machine learning.

Sorry, data analytics or not being able to properly and quickly respond to a cyber incident or not being able to sell your business because the value is decreased, because you haven’t got the rights to use the data you thought you had, or you’ve suffered some cyber attacks and so there’s I would say there’s that. There’s also the risk of losing operating licenses in Asia, which is not a threat we see, not a risk we see elsewhere in the world, whereas in Asia, it does happen. A cyber or data incident is a very good backdoor for regulators in Asia to look broader across your company. And the threat of withdrawing your right to do business in a country is real. And that has knock-on consequences legally, from a contract point of view, you’re providing goods and services, and you lose your operating license, or you can’t operate because you can’t access your data or your cyber.

That can be a huge contractual risk as well. So while we may think it’s not so much of a concern in Asia, I think the risks are really different and it’s really worth paying attention to those and not just thinking, oh, well, I won’t get a big fine.

Paul Jackson: Right. All right, well, let’s turn to your presentations that you did at the recent conference and the one today.

Because, I’m not obviously going to ask you to, do the whole presentation for the audience here. Yeah, they should have turned up to this conference if it wasn’t you. But, you know, I know you’re very approachable and, you know, you’re happy to for people reach out to you and talk to you about these issues because they are complex and we’re certainly not going to cover all the points that you’re going to be covering.

But what are the highlights, would you say, for this kind of audience? I know we were in our pre-conversation, of course, to me, close to my heart is the update on breach notification that was said earlier. So maybe you can run us through some of the highlights rather than the entire presentation

Carolyn Bigg: Of course. So I think from a navigating China data perspective, we’ve already touched on all the key points to bring right up to date. Yes, there are new breach notification rules, and as I said, this is not replacing what’s in China. This is clarifying. It applies to those operating networks in China. And that’s really broad. It can be as simple as a website or providing services via networks in China. So anyone that’s got any sort of infrastructure website, WeChat mini program in China needs to pay attention.

And what it’s now done helpfully, is classify instance into four categories. They’re called, I’m sure they have much catchier names in Chinese, but English translation, particularly significant incidents, significant incidents, major incidents and general incidents. And there’s a whole heap of guidance that’s been published as to what falls in those four categories. And it’s the usual volume, impact, length, nature of the data, nature of the system, all of those sorts of things.

What’s now changed is for those first three categories are not general incidents, but the ones above it. You have to report those within four hours, within four hours, within four hours. And it’s even quicker if you’re a critical infrastructure operator in China and you’re already subject to strict cyber notification rules, it can be as quick as one hour. So circumstances.

Paul Jackson: So I guess we’re going to have to sort of wait and see as to how, you know, how they define, you know, when you recognise or when, because I think the key here, and we’ve seen this in a lot of jurisdictions, is, well, you okay? You got four hours to report, but what about, you know, the time needed to actually clarify whether it meets that threshold or not?

Carolyn Bigg: There is that. And I’d say across Asia generally, we can’t talk specifically about this. We’re going to have to wait and see how they interpret it. But, in Asia, there tends to be much more of an acceptance that you do need to assess whether an incident falls within a definition of a reportable incident. Now you’ve got to classify it, and you’re going to have to, I think, in advance, build all of this into your incident response plans to help with that process.

You’ve also got to report to the police in certain circumstances, which everyone always knew you really had to do in China most of the time.

Paul Jackson: How do you do that?

Carolyn Bigg: It varies from, almost local, local province to, almost police station. And you get very different reactions in different parts of China.

Yeah. And there are clearly designated channels now for this, for the local CAC branches for reporting to them, including WeChat and all the usual communications channels in China, which is super helpful. The four hours is going to be a challenge. It really, really is. And particularly when you’re relying on third parties, the likelihood is most multinational vendors will not be rushing to update their contracts to commit to telling you within under four hours of an incident.

And these general incidents, while it’s not got this particular threshold for reporting under this new these new measures, there are already existing lots of measures in China under this really complex framework. We talked about. Well, you may still have to report them. And bear in mind, in China, we’re talking about it’s all to do with network security and cybersecurity. It’s not necessarily specific to personal data. So you have to think of it a bit more broadly. Whereas I think a lot of people coming from Europe will still be thinking of this more from a data point of view rather than a cyber perspective.

And then the third point that the third step in this new process is, having classified and reported, is there is mandatory remediation within 30 days, and that you don’t have to have necessarily been able to remediate it within 30 days, but you have to have thoroughly assessed it, done a root cause analysis, identify the mediation steps you’re taking, lessons learned, all of these sorts of things, and that you have to put that in a report. Again, that has to be filed with the with the regulator. So it’s a much greater degree of transparency and onus on the company to let the Chinese authorities know. And we’ve seen that a lot in China, with you come and tell us about your cross-border data transfers. You come and tell us about your who your data protection officer is.

So it’s a lot more work for companies. But I go back to my earlier point. This may be here. This may be the requirement, but it really is a  conversation, a decision that needs to be taken at the time, taking into account the whole state of your, data and cyber governance program in China.

Paul Jackson: It’s all resilience. It’s all preparation. And I know we keep hammering that. But, you know, obviously, that’s a key message that we always give as well. You know, you’ve got to be ready for a crisis, ready for an incident. And that doesn’t just involve the technology. It involves understanding your responsibilities under the various laws and, and regulations. The jurisdictions they operate in.

Carolyn Bigg: And then just to touch on today, later today I’m going to be speaking about managing cyber and data risk in the context of AI.

Paul Jackson: Correct. Because the theme of this conference naturally in the current landscape is, of course, focused on AI. So I’m curious.

Carolyn Bigg: Yeah. Again. Yeah, it’s a really interesting one when it comes to great China because again, the regulations, the policy and the reasoning for the regulations are very different to what we’re seeing in Europe. And everyone’s talking about the EU react and the impact that might have a multinational businesses, even those not in Europe, but in China. AI regulations has been very focused on generative AI. And it’s generative AI, if it’s publicly facing, is incredibly, heavily regulated.

So again, people are now turning their minds to how do we address cybersecurity when it comes to AI? And we’re going to be talking about that a bit more later on in the conference. But from a China perspective and actually an Asia perspective, it’s again understanding what the actual risks are. From  a China regulatory perspective, which are different to risks under, Western AI. 

And that’s not just from a, the regulations, the focus,  the intent is different. It’s actually because the platforms are different as well. Yes. So a lot of the Western platforms, AI tools, are either blocked in China, or they may be accessible, perhaps via VPN, perhaps not, perhaps more generally accessible, but they haven’t got these licenses you need to operate general AI platforms. And so it’s you’re operating completely different infrastructures. So as you know, Paul, you know, the cybersecurity doubles quadruples because you’re operating such different platforms with such different risks. You know, local language, Chinese language tools. We know some of them are familiar to the Western world, some of them aren’t. And with your local teams, you may be using AI tools that are local in China rather than the western ones.

So that to me seems like a really difficult challenge for those involved with cybersecurity preparation and monitoring to get their heads around.

Paul Jackson: 100%. And, you know, I talk to many of my, connections, obviously, in the cybersecurity world here in Hong Kong. And one of the biggest challenges, I think, of AI usage is understanding how to prevent employees from either deliberately or accidentally uploading sensitive data to these AI platforms.

And you’re absolutely right when you’re talking about using different platforms that you must use in China, then that complexity, the whole landscape broadens considerably. And, you know, the role of a CISO trying to understand how to control data whilst allowing use of these technologies is a massive headache.

Carolyn Bigg:  It really is. So you’re already thinking about contractually what data can we use commercially from a commercial sensitive, sensitivity perspective?

What data can we use? Personal data, all these things. But then you’ve got to factor in, as we were talking about earlier, the different types of regulated data in China. And the platforms you’re using, are you allowed to use them in China? And also what are what are the threats? What are the cyber threats in China which could, as we see in this part of the world, the threats and the trends can be quite different, as you know, see what you see in other parts of the world.

So it’s going to be a really challenging one. And I think it’s going to be particularly challenging. Again, when it comes to third parties, who will be used to cyber risks with the very familiar Western AI platforms, but not so much with the Chinese ones.

Paul Jackson: Right. Well, I think, you know, listeners have a lot of food for thought with this.

And, to be honest, you know, we just scrape the surface of what you’re going to be talking about today. A few spoilers in there, perhaps. But, you know, I really urge the, those listening who have operations or interests in this part of the world to reach out to Carolyn because, she has a wealth of knowledge and information, as you can already tell on this subject.

And, I, for one, am looking forward to your presentation in a couple of hours here at the MiG conference. But I always close our podcast by asking our guests because I’m a music lover. Right. And I  just fascinated by what my guests in the various industries and, demographics, what they’re actually listening to, what’s on your turntable.

So, Carolyn, what are you currently listening to, music-wise?

Carolyn Bigg: Well, don’t hate me, but I tend to listen to comedy and cricket, so TMS is often on my turntable, cricket fan. Well, there you go. So often TMS, often comedy podcasts and comedy programs like Radio 4

Paul Jackson: And of course, the THEOS Supernova podcast?

Carolyn Bigg: Absolutely. But if you. I do love music as well. I was a real sort of indie kid in the 90s, with all the, you know, cool Britannia type things. But I really love funk, acid jazz and disco. So I was listening to the Brand New Heavies on the way.

Paul Jackson: Excellent choice, excellent choice. All right. Good to know. All right. Look, Carolyn, thank you so much for spending a bit of your valuable time with me this morning. I think you’ve given the listeners a heck of a lot to think about. And perhaps you’ve scared them a bit, but no. Thank you so much for joining us today. And, as I say, I look forward to hearing more from you in the conference.

Thank you. Carolyn,

Carolyn Bigg: Thanks, Paul.