William: Welcome to Data Decoded, an IBM podcast series dedicated to demystifying the world of data – from data lakes to master data management to big data and everything in between. This is the podcast for data professionals and all those who understand they are in the business of data. I’m your host William McKnight and I’m President of McKnight Consulting Group.
Now if you’ve been following the news lately, the biggest talk of the town has been Facebook with the issue of data privacy. A quiz app that gave its user some ridiculous information about themselves, gave them something else too – data exposure. Used by approximately 300,000 people, it led to the personal information of 87 million+ Facebook users shamefully being obtained by the company Cambridge Analytica – walking the fine lines between the T’c and C’s [Terms and Conditions] that consumers glossed over, to be ultimately sold and used by political organizations to influence voter behavior using clever psychological techniques on a population that was ripe and ready for manipulation.
Ginni Rometty, the CEO of IBM said in response that the industry must do better: “If you’re going to use these technologies, you have to tell people you’re doing that and they should never be surprised. We have to let people opt in opt out in and be clear that the ownership of the data belongs to the creator.”
So today, we will be discussing the issue of data privacy, the importance of the enterprise response of data governance in the data privacy question, and the future of data protection regulation. Our guest today is Richard Hogg. He’s the Global General Data Protection Regulation Evangelist at IBM. Welcome Richard and please give us a sense of what you do at IBM.
Richard: Hello William and thank you. So I have several roles in several day job. The first is the Global Evangelist role. I work with our clients, our partners, analysts and the media to get the message out on all the end-to-end capabilities IBM has for GDPR across all solutions and all services. I’m also part of IBM’s internal program of readiness – getting IBM ready in one of the world’s biggest programs of GDPR readiness.
And then I also work with all of our different business units and offerings to pull together the best of IBM for the solutions for our clients. I’ve been working with some clients for over four years a more heavily regulated in-practice plans, who started sometime ago to get ready for GDPR.
William: Okay, great! Well I would expect nothing less from IBM in regards to this important issue of data privacy – so thanks for that Richard. I’ve got some questions for you today. Give us your perspective on the situation with Facebook and Cambridge Analytica. From your perspective, is the narrative that I gave accurate?
Richard: Great question. So it’s definitely very timely with what now, about 22 days (*This podcast was recorded 22 days before GDPR) left until GDPR goes live? I think the historical phrase is no one expects the Spanish Inquisition when it turns up. It was a surprise in the media in the UK and Europe to see pictures of investigators in flak jackets with ICO, the UK privacy regulator initials on the back when they raided the offices of Cambridge Analytica.
Obviously there was a long history and a long journey here, of what we got to today with the results. Initially, Cambridge Analytica was doing what many organizations in the data space and data marketing space was doing, which was gathering data any which way they could. Facebook’s policies at the time allowed you to collect not just the data of those using an app in an online survey for example – what Cambridge Analytica was doing – then pull in all of their network contact information as well.
For many of us, we just overlook that. We never really realized what happens if I’m giving away my information. Do you really know you’re also sharing all of your social media network connections and contact information. And this still happens today. For example, if you’re using any of the free torch or flashlight apps on any device. Too often today those are even over-collecting information, not just yours but in the past your whole network.
William: Wow, that’s just amazing to think about that. Well, do you think Facebook is going to sustain brand damage as a result of what has happened here?
Richard: So again, I think it’s been interesting what’s happened during the period of us understanding more and more every week of the breach and the impacts we have seen proactively from Facebook. They’ve been tightening and data over a year ago, tightened up their policies so this kind of thing couldn’t happen as easily anymore.
And obviously they were in the hot seat in front of Congress a few weeks ago. So definitely a spike in the interest. I think soon after, very recently, they published their interim financial results and they didn’t show any economic damage to their brand and the forecast across the industry as they continue to grow, their user population now over about 2 billion in the next two or three years. That forecast almost double the full billion so we’re not seeing any impact to their business economically or otherwise, but we’ve all seen them collectively, at their FA Conference going on in San Jose just this week, their annual conference, proactively upfront there – conveying and stating and committing evermore that they will be on top of privacy and helping all of their users understand and know what the sharing controls are.
William: Yeah, they are they are saying all the right things now. I guess it’s proactive but after the fact of what happened. So Richard, you’re an evangelist for the data regulation laws that Europe is taking on around personal data privacy so what do these stricter controls mean for businesses and their data sourcing methods they’re using?
Richard: So, certainly in Europe, in one way the GDPR is not really new. So there’s been that EU Privacy Directive for almost twenty years now across Europe.
William: That’s right, yeah.
Richard: Different levels of maturity and complexity in different European countries so GDPR is standardizing those regulations and raising the bar across all the 28 countries of Europe, which is a good thing. It keeps things on a simpler level playing field, makes it easier for me as a data subject in Europe and any company operating in Europe. They don’t have twenty different versions of the same – they can just focus on one.
There’s definitely a cultural difference between how data is, my view and control of what’s personal to me in Europe versus in the US – where we have far less control and insight into all the data that’s stored and used about us and very few controls over that. But it’s definitely a fundamental privacy right that’s seen and has been leveraged for decades in Europe.
It really means organizations operating with European employees or European customers, focusing on their personal data, knowing exactly what data do they have on people, and what are they doing with it, processing activities, are being ever more transparency with those people in Europe – to be able to share and show exactly what we do with the information.
And now under the GDPR, under consent for example, data subject access requests – giving the data subject you would be in Europe the ability to reach in and view and change and even revoke what you’re doing with that data if we don’t agree with that going forward. So coming forward more of the controls back in our hands versus leaving it in the hands of companies.
William: Well that’s great and I have heard that about Europe, that GDPR is a step forward for them but the US has been the wild west and we’re starting from a different place than Europe is and stepping into GDPR. I actually don’t believe that US based companies that have EU citizen data are taking GDPR seriously enough yet, but do you see anything similar to GDPR headed to the US.
Richard: So I wish. The GDPR is the General Data Protection Regulation. I wish it was the Global Data Protection Regulation. We’ve obviously had multiple data privacy – old privacy and security rags across Europe, across the rest of the world, Asia Pacific. I worked for about six years with clients in Hong Kong and Singapore and Japan, where they’ve had the PDPA and PDPI Acts, which have much of the similar controls the GDPR has in the regulation. Really in the US, it’s been most behind, mainly from a historical, cultural, and economic background, a difference with the view, and the passionate focus on my privacy as a system of Europe.
From the congressional hearings on Facebook just a few weeks ago, we saw several congressional bills drafted around data privacy for the US. I don’t think they’ve progressed anywhere and with the currents political climate in the U.S., if I leave it there, I don’t really see them progressing in the near term but there is definitely more of a consumer awareness across the US that consumers are looking evermore to be able to know and control their data and be able to trust companies.
We did a study with the Harris Poll just last month and 85% of consumers said that businesses should be doing more to protect their data and only 20% percent completely trust organizations that they share data with today.
William: the trust is low, but given what you said earlier about Facebook and their response and they don’t seem to have an economic impact yet, surely you don’t see this event or even the European regulations as any bellwethers for consumer control, do you?
Richard: I do see it as consumer control. We’re on a journey. It definitely has been affecting many organizations obviously in Europe who started last year to really get momentum and get C-level and Board level sponsorship and budgets. Something outside of Europe has been slower, probably an order of half a year or more in terms of momentum.
And I still work with clients every week outside of Europe, especially in the US, it was still only just waking up and realizing that “Oh, this regulation does apply to some or all of my business, what do I do and where on earth do I start?” But it’ll definitely be a journey both for companies to get a better control of the information, focused on the personal data.
In one way, GDPR is what we should have been doing all along in terms of good information management and recordkeeping and retention. It’s now just focusing on that, putting in place real teeth to enforce and in Europe, again raising the bar in terms of data subjects in Europe so that we know and can control and see far more what companies are doing with their data going forward.
William: Well I definitely like GDPR as a consumer and what it does for people and citizens. I just don’t know if the US is going to keep pace, so we’ll have to watch that. So it sounds like you’re saying that companies are stepping up, they’re starting to spend more in the area of data privacy. Is that so, are they spending more?
Richard: Yes definitely, from last year in Europe, clients started on the journey starting with the initial step of doing that privacy risk impact assessment, getting the gap analysis, defining the program plan, and many have been investing in purchasing a range of solution capabilities across personal data discoveries and cataloguing personal data as GDRP mandates you need to know what and where it is.
Putting in place a central catalog against policies of how long to keep stuff for. GDPR mandates data minimization – stop keeping all forever, you need to stop record keeping and then putting in place the more complex areas with solutions to help around master data management for consent. For example, it’s one challenge just to know what’s personal data across the business, it’s another to know where is your data, William, across the business. Which of the fifteen systems do we have some of your data in and that’s generally a bigger gap in infrastructure and data management but most every company has today. They are looking to close the GDPR with solution accelerators.
William: That’s right you have to know with GDPR where that data resides. I’m glad to hear your perspective on that but what is, what’s working out there? I mean what is a critical for organizations to do to spend effectively for the state of privacy?
Richard: So one point of view is May 25th, G-Day, when the regulation goes live – which is what a little under 22 days away (at the time of recording) – two minimal pieces of red and one is to have completed your privacy risk impact assessment, your summary analysis. That’s the first thing a regulator will be looking to you to have done.
And then secondly, is to be able to respond to Article 30, one of the 99 articles of GDPR, which is focused on records of processing. Simplistically, Article 30 needs you to be able to respond to the who, what, when, where, and why of personal data. Do you know what is personal data to the business?
Not just general personal data, but a sense of personal data that needs to be managed at a high level of obligation. What a weather data is? What are the processing activities? What are you doing on it on all the legal processing activities going forward?
GDPR puts in place 6 legal basis of processing. And then what’s the lineage of information? Where do you get it from as well as what you do with it, what do you do at the end of its life, are you re-selling it or re-marketing it?
And then how can you respond to a Consent Manager when you need it and how are you ready for the Data Subject Access Request so that you would be in Europe from May 25th can submit a right to inquire, right to raise data portability requests.
William: Wow, well are there any existing tools out there to help people not only with GDPR, but also for their overall data privacy initiatives. I think it’s going to help them jumpstarted mean you just mentioned that there are 99 layers to this GDPR are so what about tools?
Richard: Yeah, so one way just to simplify the challenge of GDPR is to split it into three main areas: compliance, data protection, and personal data.
So compliance is all the usual challenges of meeting and sustaining a set of regulatory requirements. For most large organizations, GDPR is not the only regulation applies to them so they need to deduce the controls, obligations from all those regulations and bake them into their governance risk and compliance program.
And we’ve got machine learning accelerated Watson tools to help you digest native regulations and rapidly spit out for compliance staff, the controls obligations. Compliance is all about the people, policy, process changes. GDPR is more of a cultural change to the business and technology changes. Technology is a great excel accelerator and then putting in place the technical and business controls of measures that you need.
In terms of the second slice on data protection, which is really cyber security, encryption, access controls on monitoring and incident breach readiness and reporting. These are key aspects on the security side to put in place if you haven’t, if you don’t have those already. Many clients have a piecemeal collection of multiple pieces of the security card that they need to bring together and IBM obviously has a comprehensive range of integrated data protection security tools to help in all those areas.
And for personal data, GDPR means you should know what the danger is and where the personal data is. Also, we’ve got discovery tools that we’ve woven in machine learning last year to train the discovery tools up on an extended set of European personal data categories and types and in eleven languages so literally from this afternoon you could use the discovery tools by the hour to start to index across all of your structured, unstructured, on-premise, in the clouds data to start to get insights into what and where the data is and what remediation steps you need to do.
You need a central catalog to pull all this together to get your master source of truth to respond to regulate us so we’ve got a governance catalog tool to help on that. Then we’ve got remediation tools to help you manage and mask information so again you stop keeping it forever. We’ve got reporting tools in the GDPR template so you can sit next to the regulator and dynamically slice and dice and answer any of their questions to show you’re on top of knowing what, where, and how to using information instead of trying to drill into tens or hundreds of different spreadsheet, trying to get the answer.
And then tools to help on consent management through master data management so again we know the fifteen different systems that have your information and we can rapidly, efficiently pull that together. And abilities around case management to respond to data subject requests so across compliance, data protection, and personal data, we’ve probably got the most comprehensive set all of services and solutions to help clients on every step of the journey wherever the road block or gap is.
William: Well that is really great to know and I’m a huge fan of master data management we do MDM strategies and implementations quite a bit right now. Now coming from where I stand, looking at these organizations, I couldn’t imagine trying to start on this GDPR journey, really your data privacy journey today without machine learning. So I’m glad you got that in there as well.
Now we all know that the number one factor in data privacy is really people. People doing the right things and how about from that perspective that internal adoption perspective. What would companies need to be prepared to do to energize their work force to change their habits?
Richard: Yeah, so the biggest cultural changes and challenges needed in your GDPR program needs to be said in the plant up front. For IBM, for example, we’re rolling out right now a global GDPR education enablement, mandatory courses for every single employee worldwide. That’s almost 400,000 we’re running GDPR as a global program across the whole worldwide business.
When we did our own risk assessment two years ago, we determined we couldn’t slice and dice the or re-fence the business to just European employees or European customers and services so we chose to address a globally. So again 400,000 employees. We operate in almost 180 countries, 47 distinct, complex business units so we have to have a strong comms plan. We’ve been running an internal program to keep everyone on the same page, so you know what the plan is and through the education, which we’ll be repeating annually as we do for general privacy and information security education that all the IBMers go through and certify annually.
Putting in place that key awareness to “Yes, there’s a new regulation out there, GDPR. It’s not just a burden, but a transformation opportunity for us to develop more trust and transparency with all clients going forward” And what the impact is on the business and how we will address and respond to it internally and externally.
William: Well that’s great. There’s a lot in there that I think every organization can be thinking about in terms of their own walks with data privacy regulation so thanks for sharing that and thank you Richard for joining us today.
And thank you listeners for tuning into another episode of Data Decoded. You can learn more on the IBM GDPR journey and capabilities to help you at ibm.com/gdpr and learn more about IBM Unified Governance & Integration at ibm.co/UGI. You can find this podcast and more at ibmbigdatahub.com. Thank you for joining again and this has been William McKnight and Data Decoded. Talk to you later.