TechRepublic's Dan Patterson talked with Manmeet Singh about the post-GDPR compliance action list. Singh is the CEO of Dataguise, which is a provider of data privacy and GDPR compliance solutions
Patterson: Alright. As we all know, in business technology it is, in fact, a post-GDPR world. That means compliance is topic number one for IT and business technology professionals. ... Compliance, if it's not on the top of mind of business, it should be. I know that you've traveled, particularly to Europe, in the days leading up to GDPR. What have you learned in terms of organizations' ability to comply with this regulation?
Singh: Good morning. Thanks for having me on the call. Let's start with that. Yes, compliance, as you mentioned the first thing, is very important. Till date, what happened was compliance and security, there was a big disconnect. When the companies were saying we are compliant, that was more like a check mark, more like a CISO budget, a small little prickly budget which they were given. But security was never there. Still, the breaches happen. Breaches like Experian happen. Ask Experian, "Were you compliant?" They were compliant.
Other breaches happen. Ask those companies where the breaches happen. "Were you compliant?" Most of them were compliant. Compliance and security were going different directions. Security was more IT, compliance was more CISO, not connected. What GDPR has done, has brought compliance with security kind of a mad thing has happened. Now today you say, "I am secure." GDPR compliance says,"Prove it." How do you prove? Compliance has changed their role. Before it was a different thing, now it's like "Hey prove it." "I am compliant so I am secure." Earlier it was, "I am secure so I am compliant." That has changed. The whole thing, the whole cycle has changed. You are compliant, you are secure.
But yes, people did not take it seriously. I was in Europe as you mentioned. And I've been talking to a lot of people. People had been taking a back seat, all of a sudden this has come to them and it is hitting them hard. And now they are saying, "Compliance is important, so is security, I need to know my data." The biggest thing with GDPR is put the fear in peoples mind is, know your data. They didn't even know that. They didn't even know, as we talked about last time, where is what. And now that is putting the fear of God in them and saying that, "Guys, you wanna be compliant, and secure. Not just secure or not just compliant."
Patterson: I love that you use the word proof there. Because this is a world where when we see the disconnect and the divide between the CISOs office and IT, it's not just enough to say you are working on this. How do you show that you have proven that not just data is protected, but that you've taken steps to prevent future exploits?
Singh: Correct. So this is where the articles of GDPR come in picture, and I think that should be a worldwide thing. It should not be generally Europe, it should be a global thing. The reason why it should be global, because it puts the CISOs on forefront. It puts the IT on forefront. It puts the board and the CEO on forefront. It says, "I am compliant." So once you are compliant you should not have a breach. How can you have a breach if you're compliant and secure? You cannot say I was secure.
Singh: But I was not compliant. So those kinds of combinations are coming to the picture. So I think these budgets are gonna merge and you will see the compliance security budgets being merging. And you will see SESOs actually having trackable, record of telling, "This is what my IT has done. Or this is what my finance people have done. Or this is what my business has done to do the compliance part, and to do the security part."
Earlier they were like, "Oh yeah, we're secure." And CISO was more like, what do you call it? Nominated head just sitting over there putting a stamp, everything is fine. No longer. That's not gonna be the case anymore, and GDPR is putting that pressure on people. I hope government doesn't ignore GDPR down the line and stop fining people. I think the first fine will define a lot of things out of this post-GDPR. For some reason if they don't do it, it may become another line item like PII, PCI, and I hope it does not. And I don't think it will. Because this has teeth.
SEE: Big data in 2017: AI, machine learning, cloud, IoT, and more (TechRepublic)
Patterson: Yes, there has to be systemic change and systemic thought, as opposed to just creating another line in a database that says, "Yes we are compliant." Manmeet, when you travel and speak to business tech professionals, and this is just anecdotally, but what do people share with you about the troubles they had, and their journey to becoming compliant? And what are their fears that post GDPR they may not be able to do certain things?
Singh: Right. So first thing people do talk about was like, "Hey guys, nobody even had projects to know your data." We had so many datas. We had hundred of silos with cloud coming in. It's not that it's helping, it's lowering the budget, it's taking some costs away and putting them in reckoning. But it's making the compliance nightmare, it's making a security nightmare.
People were not focusing on the compliance and security earlier, but now they are. With this thing, "Okay, where is my data? What is my data?" So those kinds of projects have started. The project earlier, they were doing consulting kind of environments saying that, "Okay, this is there. What is GDPR? Let me understand how it matches with that." So there were a lot of strain last year, year and a half on consulting companies.
But now they are saying, "Well we are done with that. Now we need to know what is with the products which are available in the market? What they can do? Can they tell me what is in the cloud? Can they tell me what is in the premise?" So those kinds of projects are coming to picture. People said that we had to fight for this kind of projects earlier. Not anymore.
The project managers are coming back to life. They are seeing so mch activity in there. Because this is no longer an issue of a company or a branding issue. It is a issue of consumer. It is a issue of a customer. He is coming and telling them, "Right of erasure. Right of access. Remove my data. Show me what you have about me." Those things were not there, now the customers is, like 50 customers, 100 customers or maybe a law company will get together and bring it through a class action lawsuit on them saying that they are not telling you what I have.
So those kinds of things are becoming scary and I think people are taking proactive steps on that now, and we will see a lot more. I think it'll be a lot of these companies doing it, for next two years we will see a lot of spend on compliance, as well as on security.
SEE: IT pro's guide to GDPR compliance (free PDF) (TechRepublic)
Patterson: You know that's so fascinating. Often it's easy, especially when looking at data, to think of users as just that. As users. As lines in a data base. Or check boxes. But now we're thinking of them as consumers. As humans and as people. And making sure that their data is safe. Because they are in fact people, and not just a piece of data.
Manmeet you always have fantastic insights, I wonder if you could leave us with some advice, especially when you said the magic word there, the merger of the IT and CISOs and different departments post GDPR. What do you anticipate will happen in terms of restructuring, reorganizing, not just how we work, but how we communicate between different departments and the ways that organizations think about data?
Singh: See, my thinking is it's gonna change a lot. People were, earlier, working in their own silos. The C lines were working in different lines. "Okay, I have my budget, I have to do this. I have to report to this. I have to report to that." With all the intricacies happening now, everybody becoming dependent on everybody else, if there is a breach or if there is a question, if there is a loss of data somewhere, everybody will get kind of underfoot now.
It's not going to be, "Oh I'm gonna fire a CISO and get a new CISO and that'll save me." No it's not going to do that. "I'm gonna change my IT department or bring it to new people or something. That'll help me." Those things are going to become real now. And life is gonna get more complicated if they don't do it. Life is gonna be super easy if they do it.
And if you think about it, the CEOs of largest corporation were asked by Senate to come in front of them and were given a public beating and public harassment. The reasons were not because the data is a line item anymore. They are saying that is a breathing, living thing. Don't ignore it. Do not ignore it. If you ignore that line, and just give it away to anybody, and somebody can do analytics on that without having the PIIs and PCIs and impasse taking out of it, you're gonna be in trouble.
- Understand the GDPR guidelines for obtaining lawful consent to process data (TechRepublic)
- How to request your personal data under GDPR (TechRepublic)
- GDPR compliance tips and tools for business leaders (TechRepublic)
- Open-sourcing data will make big data bigger than ever (ZDNet)
- Five organizations that are using big data to power digital transformation (ZDNet)
- Big data and digital transformation: How one enables the other (ZDNet)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.