Tip of the Iceberg: Why GDPR Is Just The Beginning

Why Trust Techopedia
KEY TAKEAWAYS

Host Eric Kavanagh discusses the EU's upcoming General Data Protection Regulation and the effects it will have on the industry. Joining him are William McKnight of McKnight Consulting Group and Kim Brushaber of IDERA.

Eric Kavanagh: OK, ladies and gentlemen, hello and welcome once again. It’s Wednesday at 4 o’clock Eastern Time, which means it’s time once again – one of the last times in the year of 2017 – for Hot Technologies. Yes, indeed, my name is Eric Kavanagh – I will be your moderator for today’s event. We’re talking about a topic that is far reaching, to say the least. Right now, it doesn’t seem like that – the concept of GDPR, the Global Data Protection Regulation. Let’s go ahead and dive right in this, it’s not about yours truly, enough about me. This year is hot, it’s been really hot in a lot of different ways, but the impending regulations from GDPR and from other organizations, quite frankly, are forcing us to rethink what’s going on in the world of business, specifically as it results, or as it relates to data. We’re going to be hearing from Kim Brushaber of IDERA and also William McKnight from McKnight Consulting Group.

Just a couple of quick words about the topic at hand, folks. GDPR basically says that organizations must have a privacy-first and a security-first policy with respect to data and really, it’s about some of the stuff you may have heard – the whole right to be forgotten, for example, is part and partial to this whole moment, and it’s very interesting stuff. It’s certainly valid in terms of its principles and its ethics. In terms of actual implementation, though, it’s a pretty serious challenge. The right to be forgotten says that if you want some organizations to not have your data, your personally sensitive data, they have to get rid of it. Well, you can just imagine when some of these really heterogeneous data environments, how difficult that’s going to be. To be able to reach into every place where your data is persistent and pull it out, it’s just not going to happen, is the bottom line. Nonetheless, organizations need to have policies in place, to be able to address those concerns, and that’s what the regulators, I’m pretty sure, are going to look for.

It’s a big deal. Not only does the organization need to remove your data if you say so, but if they’ve trained algorithms on that data, technically they’re supposed to retrain the algorithms too. That’s a tall order, I have to tell you, but it’s coming, it’s coming down the pike, it’s going to be a reality in May of next year and there are other regulations as well. Canada has antispam law that they’ve passed, that’s an impact on how we deal with personal information. Net neutrality is coming down the pike now, of course it’s been uprooted, essentially, and that’s going to be changing some things. There are a lot of these very serious regulations that are affecting businesses across the board and around the world, that large organizations really need to start thinking about and to prepare themselves for.

For that, we’ve got William McKnight online of McKnight Consulting Groups to let us know what he thinks and why GDPR is, in fact, just the tip of the iceberg. With that, William, I’m going to hand it off to you. Take it away.

William McKnight: Thanks, Eric, and as you say, as the slide says, this GDPR is perhaps the tip of the iceberg – that’s certainly what we think. It’s important that we dive into GDPR in depth because I think it represents a wave of regulation that’s coming down the pipe that we have to deal with. Fortunately, Eric, there are some reasonable standards around that right to be forgotten, which I’ll get to. But nonetheless, in my walk this year talking about GDPR, I think that there is a lot of firms, especially U.S. firms, that are not prepared for this yet. It is definitely hot and something that we definitely weren’t thinking about a year ago, when they were just trial ballooning some things, but now it’s a regulation and we have to deal with it by, as you said, Eric, May coming right up here – so not that far off at all.

A little bit about me, I’m going to come at this from the data perspective. To let you know, I’m a lifelong data person and consulting now for 19 years in the space of data, and GDPR is a lot about data. I’m going to pose a body of solution here, as I get into my presentation around data governance. I’ve been, obviously, doing a lot of data governance programs and I think that if you’re aligned with that concept, you’re doing some data governance, a lot of companies out there are going to be pretty far down the path actually, to GDPR compliance, but there’s going to be a lot, and most frankly that are behind in governance and therefore quite behind in their GDPR preparations. Let’s level set here and understand what GDPR is all about and as we get deeper into the conversation, we’ll get into more of the ramifications of GDPR on business life as we go forward into the new year and beyond.

GDPR is for European Union citizen data privacy. It’s a regulation – means it has teeth, means it is enforceable. It’s not something that is put out there as a suggestion – that already happened and now it’s been formed into a regulation with penalties. I like to start with the penalties because that really gets people’s attention. These are stiff penalties. There’s two penalties, there’s 2 percent of worldwide annual revenue or 10 million euro if a business fails to comply with security obligations, but everything else, in breach of other provisions – and I’ll get into them – that’s 4 percent. You hear it bandied about – 4 percent. And by the way, it’s 4 percent or 10 million euro, whichever is greater. This is very stiff. People are very serious about this. Enforce beginning May the 25th, 2018 – that is a key date, that’s when the audits can start, that’s when you can get your fine. Definitely you want to be ready for this. Every company I deal with, I deal with a lot of Global 2000 companies, they’re somewhere in their GDPR preparation, some more than others and some have to be more than others at this point. Certainly, it’s going to be challenging to meet that date for some, and we will see.

It is the most thorough data privacy compliance regime that we’ve seen to date. When we’ll see something more stiff or something that affects maybe the U.S. population more directly, who knows, but it’s out there and definitely needs to be adhered to. It requires organizations to understand what UE citizen PII – we’re familiar with PII right – personally identifiable information, social security, phone number, address, the things that can uniquely identify a person or quite fairly uniquely identify a person. What they have and how they’re using it. This means inventory. This means regulation within your own companies around this kind of data. By the way, the U.S. does not have any kind of nationwide data protection law. The U.S. has always been – I’ll say behind, to put it in perspective – behind Europe in terms of this kind of regulation, and that’s continuing. That’s continuing with the GDPR, that’s pretty evident. Some of you may know about privacy shield, you may be wondering about that. There’s about three or four provisions in GDPR that have any overlap with privacy shield, but there’s a hundred provisions in GDPR, so it’s much more than that and of course that’s still in place as well and that has to do with U.S. and EU data interchange only, although that’s important.

Again, I like to start with numbers. You heard about the fines, what about how you get prepared for that. Budgeting for GDPR and doing some of this, this depends on a couple factors. The amount of PII data that you collect on EU citizens. If you collect none, OK, you’re probably compliant and don’t have to deal with this, but you’re probably on this call because you collect some somewhere. The size of your company and the maturity of your data governance, which as I said before, that may be approaching what you need to do to respond to GDPR. You can expect up to several million USD or euros, as the case may be, for compliance. However, we want, don’t want to just comply with GDPR, to check that box, of course we got to do that. Hopefully, you’re not in that direr situation where you’re just desperate to check that box. Look for business benefits because a lot of the things that you do to support GDPR are good for your business. Data governance is good for your business. When it comes to the amount of PII data, some is more important than others, some is going to be scrutinized more than others, like data related health, going to be regulated much more strictly under GDPR than other types of data and will require compliance with additional obligations such as conducting data protection impact assessments which, obviously, adds to your budget.

Little bit there about budgeting. In case you are in the U.K. or the U.S. and wondering how that affects you – GDPR affects the U.K., who is still in the EU, by the way, through March 29th of 2019 and whose government has indicated that something like GDPR will continue after that date because “It’s a good idea.” U.K. companies have to comply with it. U.K. citizen data is certainly on the table for this. In case it’s not clear, there are U.S.-based businesses, if you deal in the EU, with EU citizen data, this certainly applies to you. This has ramifications on your data architecture because you may end up having to wall off your EU data from everything else and treat it differently. It affects analytics, as Eric was saying, in how you compile those analytics and so on. It may be more difficult now to get any kind of concept-wide, global-wide analytics going. They may become more localized as a result of GDPR.

What’s in the provisions? There are data protection standards. These all but dictate encryption of data at rest and in motion. I’ll talk about encryption next. There are data breach notification standards. No more of this waiting for months, waiting for quarters to let everybody know. I think there was a big one the other day and we found out, “Oh, it happened a year ago.” None of that with GDPR – you have 72 hours. It’s a name and shame policy. Hopefully nobody gets to that, clearly some people will. Breaches will go on, even after GDPR, of course. There are processes to monitor the location and quality of data. Sound familiar? That’s really the heart of data governance. Hopefully you have some of those going.

EU citizens have the right to be forgotten, as Eric mentioned. There are some reasonability standards to this, Eric. You do not have to obliterate everything necessarily, if you may have to re-contact that customer, that employee, you are allowed to keep certain aspects of their personal data. But, nonetheless, those citizens have the right to be forgotten, but there can be no disproportioned effort – that’s the language – on you or harm to the company, that’s on you to be obliterating that data. I don’t want to downplay it, but you also have to release copies of personal data that’s been held and you can only get that data under consent. That consent must be given by people who are of a minimum age to grant such permission. That’s a mouthful there, but that’s giving citizens a lot of rights over their data. That’s portability right there, in case that ever comes up. The right to be forgotten, clearly, but also – and something that’s not on my slide that’s pretty important – is the data subject shall have the right not be subject to a decision based solely on automated processing. What have we been moving hard to? Automated processing, around loan acceptance, what offers we’re going to give, this all needs to be worked out in terms of how this is going to play out and how far this going to go. What this is essentially saying, is transparency around why I got rejected, why I am being treated in a certain way by this company. This is a right now, being granted to an EU citizen.

Obviously, there’s some ramifications on how we do business and hopefully you’re seeing that GDPR is not an IT problem, not an IT only problem. All these business processes are involved. It will involve people from all across the company. The appointment of a data protection officer is recommended for those companies with more than 250 employees and you have “critical math with EU PII data.” You can decide for yourself if you have that critical math, sometimes it’s obvious, sometimes it’s not. But, there’s a new role – doesn’t have to be a full-time role, the person can have other responsibilities, but I don’t know – in some midsize and larger corporations, pretty much I think adhering to GDPR is going to be close to a full-time role. I’d say start out that way and see if you can handle it. Especially over the next year, as you get your act together around GDPR, once it’s settled in, maybe you can slow down the work on this, but it’s going to take some companies quite a bit of time. Allow individuals to see their own data and data portability, as I mentioned before.

This is not all new, by the way, but the right to be forgotten has actually been out there, believe it or not. The current EU rules already provide for a right to have personal data deleted or made unavailable. However, now it’s part of GDPR, it’s going to be enforced much more broadly. Data encryption – encrypt your data at rest. Use standard encryption methods, don’t use your own homegrown or nonstandard encryption. AES is one that we recommend quite a bit. Use cryptographically secure encryption keys. Change those keys periodically. Also prevent those keys from loss. These are just good encryption practices, but now they’re coming to the forefront with GDPR. Therein lies the problem – I’ve only hit the tip of the iceberg. There’s more provisions, obviously, to look into, but those are the main ones.

Now, solution. Data governance, the framework your compliance, at least that’s the perspective that I’m putting forward here. Fortunately, there is an active well-heeled discipline that can and does, when mature, address most of the requirements, and that’s data governance – obviously I’m saying that. Governance programs should have a data glossary, and here I am using data glossary in a generic sense to mean documentation across the board for your processes. This is foundational, to serve the inventory needs of GDPR, which is, as we’d seen, are quite immense. The program, the governance program, should facilitate the data security protocols – and I underline that because that’s not something that a lot of data governance programs are doing right now, but I think it’s a logical place for this to be done because they’re sitting on the program that’s determining who are the business owners? Who needs to see it? And then the next step is to be granting those permissions. That needs to be centralized, that needs to be formalized. There needs to be internal policies that are used. Stewardship needs to be assigned to all elements to provide input to all of the above. Data governance can also be the facilitator of the business process engineering, that is going to be required.

Before I leave this slide, in pursing the avoidance of the hefty fines, companies will be embracing sound business practices as a byproduct. I like to say that it’s more than a byproduct, but it’s actually just good, sound business that can lead you in new places from a business perspective. Certainly, you’ll get a lot of efficiencies for doing all initiatives across the board, if you have sound data governance, that’s what I’ve seen over the years. By the addition of some of these things that I’m mentioning, to data governance, they will only get better. In your business process engineering we recommend you ask these questions across the board, hit every business area. What kind of data do we collect on our EU customers? I won’t read them all. Some of the key ones here. Who has the need to see this data and is that being followed? Who’s the data steward for that data? Who’s my go-to person in the business? This is a big one: Do we share this data with third parties? Just because you give it off to a third party, doesn’t excuse your liability around that data – that’s still your data, that’s still data you collected. There are a lot of third-party contracts now being thoroughly reviewed as a result of GDPR. Do these systems have deterministic failures? Meaning when they fail, they fail into a path that we have predetermined, or did they just fail, crash, burn and we start from scratch digging in on it? It’s going to be obviously a lot better. It’s a good practice already, but obviously a lot better for reverse engineering some of this stuff, if you have great deterministic failures in your system.

Data retention, we’ve been talking about data retention forever. A lot of companies have policies, they don’t all follow them, though. Obviously, famously in health care and financial, we want to keep data, we have to keep data for a certain number of years. Some of the analysts in these firms that keep data for the seven years or whatnot, say, “Oh, after that period I still want that data.” Some of the lawyers in these companies say, “But we need to get rid of it for liability purposes,” and so on. That cannot just simply sit there, as an issue at loggerheads any longer with GDPR. We have to have the retention period, have it followed consistently across the board within the organization.

And finally, how do you mobilize for a data breach? These worst-case scenarios that could happen to you. Obviously, we’re trying to prevent them, but what if it does happen? How do you war room the thing and make sure that you’re following now the provisions of GDPR in your response? I’m a data architect, I think about data architecture. If you are a U.S.-based company with EU operations, meaning EU citizen data – you’re collecting it, you will have to consider whether to apply the data protection standards to all data or just EU data. Yes, I have clients that are making that decision now. As sound business practice, they might want to bring that over to the U.S., they may feel like they have time, though, but that brings up bullet number two. You may have to wall off EU data from U.S. systems if you cannot vouch that U.S. systems will handle data appropriately. Does that separate data for the purposes of analytics? Are analytics even valid if you’re trying to do them across country? Sometimes yes, sometimes no, right? You may find that your analytics are going to be muted as a result.

As I mentioned before, artificial intelligence plays in here because obviously, we can use AI to go find all the data, help us find all the data, but if we use AI in our customer interfaces, we need to have transparency now with our customer interfaces and that has never been AI’s strong suit. To try to tell a customer, “You were rejected because blah, blah, blah,” when really it was AI. That now has to be done. We have to figure out how AI is working, what are the factors? Can’t just sit there and be a black box to you anymore. What do we do now? Establish your GDPR board. I suggest you have your senior privacy officer in there or if you have a data protection officer, obviously that person. The heads of data governance, operational risk and/or compliance, as they apply, the head of IT, CIO if that’s the person. If you have a changed management person, that would be a great person in there. Just heads of some of the most important departments across your business, and also the head of HR because privacy training now is going to be huge. Everybody is going to get privacy training or should be getting privacy training when they board up a company, even consultants.

If you’re not doing these things that you see here, you’re going to have to move quicker than you would like to make the deadline. You also need to begin hoping that you’re not one of the first ones to get audited because, frankly there’s a lot of work here if you’re starting from scratch and you deal with a lot of EU citizen data. Hire your DPO, inventory your data and your processes. Build that plan for data governance, take it from where it is, to where it needs to be. As the case may be, you might want to start it. Craft your privacy policies and your policy notices. Privacy policies are internal. Policy notices go external. We are seeing a culture starting to be created now around policy notices. A lot of comparison being done and a lot of careful wording been done, around these policy notices. Charter a GDPR compliance check for all systems, including new systems. You might have to sequence them and do them in some sort of order of importance, but this is another way to tackle the problem. Look at the systems and what they’re supposed to be doing and how they’re handling this data.

What does GDPR signal? That’s what we’re here to talk a little bit more about. I look forward to what Kim has to say about this. GDPR is a shift in data privacy controls towards regulation. It’s a trend towards transparency, it says so right in the provisions. We’re creating this culture of privacy notices, as I talked about, that’s a thing now. We’re going to see conferences about privacy notices and so on. The GDPR shift is towards the fundamental rights of people. Open questions will be worked out. There’s clearly open questions, I’ve left a few on the table here for us. Nobody has the answer. They’re going to be worked out. A trend towards greater understanding by individuals about their data and how it’s used. I think this has raised the awareness among the population of the EU, as to the importance of their data and seeing that as one of their personal assets, that they need to manage more. That’s some of the early signals that I’ve seen, and Eric, I’ll toss it back to you now.

Eric Kavanagh: Alrighty, let me hand the keys off to Kim, who can share some of her perspective, but I think that was a good overview, William, and you hit on the key points – namely that this coming down the pike for sure and we have to all be very careful, quite frankly. With that, let me hand the keys over to Kim and you can share your screen and take it from there.

Kim Brushaber: Hey there, can you hear me?

Eric Kavanagh: I can hear you.

Kim Brushaber: Awesome. William covered some of the same things that I’m going to cover, but I think that they’re worth covering again because they’re really important. I think that when new regulations are passed down, it’s really good to get a lot of different people’s perspective and interpretation on it so that something sparks your mind and lets you be able to become even more in compliance. I’m encouraged by all the people that are on this call that want to know more because I think come May 25th, there may be a lot of panic for companies that are being chased after, not being in compliance.

My name is Kim Brushaber, I’m the senior product manager at IDERA. I have several products under me that do help with GDPR compliance as well as other regulations. I’m going to jump into some of the information. I’m going to start with some facts and some figures and then go into a little bit about GDPR and then specifically how our tools can help you. One fact is over 5 million data records are lost or stolen every day. We don’t hear this reported on the news, we don’t hear this come in from other places, but there are over 5 million data records that are stolen all the time, right out from under us. The median number of days that attackers stay dormant within your network is 200 days. Many systems are already infiltrated by people who – with malicious intents – who are just waiting for the opportunity to capitalize on your information, mostly within security and certificates, but they’re just waiting for their moment to pounce. That’s why it has become increasingly more important to handle your data security. The average cost of single data breach in 2020 is predicted to exceed $150 million, as more business infrastructure gets connected to online resources and as more things go up in the cloud. That’s a good budget number if you’re really concerned about data security, to give to your executive team, to tell them that this is a serious matter and could cost us a lot of money going forward.

I’m going to briefly go over the Equifax data breach because I think it was the biggest data breach of 2017, to kind of paint out the picture of what it’s like to go through that. The breach affected 145.5 million customers. Employees acknowledged the security issue with their web application two months before the breach occurred. Employees were saying, “This is an issue.” And even a little bit before that was when the patch actually came out. It took a full day once the breach occurred to respond to it and take the web application offline. Because Equifax did not have a defined data security protocol, it took them a significant amount of time to even figure out what was going on and then be able to take the system offline. Six weeks after the breach, the public was alerted. With GDPR – as we stated above and I’ll say it again – you have to report within 72 hours, and Equifax would have had their hands tied and been unable to meet that compliance because they waited for six weeks to report it. The communication to respond to the breach included a website that was not even owned by Equifax. Equifax themselves were retweeting this tweet that wasn’t even in their domain – they had reversed some of the words around. Fortunately it was not a malicious site that was capitalizing on that, but they obviously were not prepared. They did not have a plan in place, and this became very aware in the public arena. Equifax is not alone – there’s over 25 very high cyber profile attacks in 2017 so far, and we could still find more before the end of the year. Companies really need to start taking this seriously because people are out there and if you give them a reason to want to come at you, you’d better be prepared to be able to handle it.

Some other data facts and figures in regards to how individuals are looking at data security. By 2020 there will be 30 billion devices connected to the internet via our homes, via our wearables, via our phones, our tablets and who knows what else may still come in the years to come. There are lots and lots of devices that are left vulnerable to these attacks. Forty-nine percent of Americans feel their personal information is less secure than it was five years ago. Seventy-three percent of consumers in America want companies to be transparent about their personal data. Seventy-eight percent of people claim to be aware of the risks on clicking on unknown links and emails, but they click on those links anyway – that’s over three-quarters of our population, and they’re still clicking on the links even though they know it might be an issue. Eighty-six percent of internet users are actively trying to minimize, anonymize and hide the visibility of their digital footprints. My stepfather likes to go out and create fake names when he’s filling out forms because he thinks that makes him anonymous, but little does he know his IP address is also being tracked. There’s a lot of individual concern and that’s what’s spawning a lot of the GDPR regulations and probably additional regulations that will come to follow.

As far as the data security industry facts, 90 percent of the breach data records in 2016 came from government, retail and technology. Forty-three percent of cyberattacks attacked small businesses. If you think, “Oh, I’m not a large guy, they’re not going to come after me,” there’s still, almost half of them that are going after small businesses. Seventy-five percent of the health care industry was infected in malware in the past year. Seventy percent of the U.S. oil and gas companies were hacked in the last year. This is a significant amount of impact on various different industries that are up and running, and this number is only going to go up from here.

When you look at it from the executive perspective, 90 percent of CIOs admit to wasting millions of dollars on inadequate cybersecurity. Ninety percent also say that they’ve been attacked or they expect to be attacked by guys hiding in their encryption. Eighty-seven percent believe their security controls are failing to protect their business. Eighty-five percent of CIOs expect criminal misuse of their keys and certificates to get worse. This is a huge number of companies that are looking at this data security issue and the reality is, a lot of them don’t have very good solutions in place to even be able to deal with it when it happens, even though they believe that it will happen.

When we’re looking at the preparedness of it, in 2014, 70 percent of millennials admitted that they brought outside applications into their enterprise in violation of IT polices. Seventy percent admitted to it – there’s probably even a greater number than that, that actually did it. Fifty-two percent of organizations that suffered successful cyberattacks in 2016 did not make any changes to their security in 2017. Even though they got attacked once, they still didn’t go and shore up the walls – they’re just as vulnerable as they were before the attack. This really begs the question, what do companies need to start doing, in order to prepare themselves for these things? Thirty-eight percent of global organizations claim that they’re prepared to handle a sophisticated cyberattack. That’s good – almost half are there, and I’m being generous with that, we’re really only at a third, but there’s still at least half that say, “I’m not ready. If I get attacked, I’m not ready and the hackers know it.” Thirty-eight percent of organizations have a cyber incident response plan. Most companies are in the same bucket as Equifax, where they don’t know what they’re going to do. If they get this, they’re going to have to react and come up with these things on the fly, and regulations like GDPR say, “You’ve got to have these in place. You have to have them published. You have to prove it to security auditors.” Hopefully with impacts like that, with regulations like that, we will be able to get ahead of this curve and instead of being reactionary, we can be proactive in our pursuits.

Let’s talk a little bit about GDPR. Some of this William has already covered, but I’m going to go ahead and cover it again, just from my take, my voice, my perspective. A lot of companies that I talk to, they’re like, “I’m in the U.S., why should I even care about this EU regulation?” The fact that more people aren’t buzzing and more people aren’t talking about it, they think that it’s only EU members affected, but I would ask you, if you look at this list, do you collect any of this data from EU members? If you collect any of this information at all, you are subject to the boundaries of the GDPR, as well as the penalties for not being in compliance. I’ll give you a second to just kind of absorb this and understand this. As William mentioned earlier, these are the penalties and sanctions as referenced in Article 83 of GDPR. At the beginning you may get a slap on the hand, a little bit of warning saying, “Hey, get your act together. Put this in place.” But if you have a really big breach – and depending on how big of a deal it is – they will come back to you for restitution, and it’s a significant number. Not 10 million, but 20 million euro or 4 percent of your turnover/revenue from the previous year. That’s a lot of money. This is a lot of budget to go at your executive teams and say, “This is something we do need to start taking seriously and we need to take action on.”

Let me go over a little bit of the GDPR principles as outlined in Article 5. One of the things that they say is that personal data should be processed lawfully, fairly and in a transparent manner. That means the public wants to know what you’re doing with their data. Be transparent about it and it’s got to be published. Most people don’t read terms and conditions, but this is new information that you need to be able to communicate, so that you can tell them, “Your data is being handled appropriately.” The personal data should be collected for a specified, explicit and legitimate purposes. This means that hopefully we can get rid of some of this spam, where companies say they’re collecting information for a quiz that tells you how interesting you might be, and in reality they’re taking your data and selling it back to somebody else, to be able to use for whatever their purposes are. Companies now need to be much more responsible and say exactly what they’re using your information for. They also say that personal data has to be adequate, relevant and limited to what is necessary. A lot of companies like to take all their information and put it in a big data pool and then they figure out what they want to do with the information later and they collect far more than may be necessary. This is saying you can’t collect it and use it somewhere else. You also can’t just collect everything and hope that later you might find it useful. You have to be very explicit in why you’re collecting the information and it must be relevant to the data you are collecting.

Personal data also needs to be accurate and kept up to date. You have to give users ways to update their data, once you have collected it on them; they need to be able to go back and say, “You know, I had this opinion on some survey you asked me on personally identifiable information and I want to go back and I want to change that and update it now.” And you have to give them a way to be able to do that. Personal data has to be kept in form which permits identification of data subjects for no longer than is necessary. Back to William’s point, that you can’t collect this information forever – you have to come up with what you think is valid and necessary and then after that, you have to wipe the data clean. It also has to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.

As I said before, it’s time to get really serious about this, stopping those data breaches because not only may you have injury that comes to your company in the form of the data breaches and the loss in revenue and the cost of shoring up your processes, but you may also have a pile of fines slapped on top of you from GDPR. It’s time to really start to get very serious about that and I think that as GDPR goes into effect, companies are going to be faced with the hard reality, and luckily those of you who are on the call today can start thinking about this and know how you’re going to put these things into action.

GDPR also talks a lot about what the rights of individuals are; it’s really looking out for the individual users. The first thing is the right to access your personal data. Users need to know what information you’ve collected on them, as far as the personally identified information, and you have to give them a way to be able to access it. There’s also a right to rectification, which is a fancy way to say, “I need to be able to correct the information that you have on me.” The right to erasure – which again, a lot of people are phrasing as the right to be forgotten – if an individual says, “You know what, I no longer want you to know that I’m super fun guy comic book collector, you need to get rid of that. I’ve got some friends that’s teasing me about it and wipe me off your list completely,” you need to be able to do that. There’s also the right to restriction of processing, and this means that users can limit the way that their information is processed. They can say, “I don’t mind you taking my information because I’m buying a new car, but don’t use that information to send me emails and spam me on new deals every time new cars get released.” There’s also the right to data portability, which means that users should be able to get a copy of their data and be able to take it someplace else. A lot of organizations collect information and that information has a stickiness factor, and now individuals can say, “You know what, I want you to take all my information and now I want you to give it to your competitor, so I can move that over.”

There’s a lot of things to be thought about from an organization prospective on how you’re going to be able to do that and what information you want to be able to collect and send over. There’s also a right to object, and users can object to the processing of their data as well. The right to not be subjected to a decision based solely on automatic processing or profiling. This has a significant impact on B2B marketing – if you’re sitting there and trying to A/B testing and trying to identify is Colorado going to be more influenced by a message than California, well you have just done profiling, by looking at one state versus another, and you have to look at how an individual should be able to opt out of that.

Given that we’ve got some scary things that are coming as far as data breach and how people are looking at their data and we’ve got this huge regulation that’s getting dumped on top of our shoulders, I’m now here to give you the solution on how IDERA can help. Article 15 talks about how to control the exposure to personal data. You have to know who’s accessing your data. How they’re using it. How much data’s been processed and SQL products Compliance Manager, which I’m the product manager for, allows you to see who is accessing your data and how. SQL Compliance Manger is for SQL Server solutions. If you have a SQL Server database, you can connect this product to be able to audit and look at this information, so that you can be in compliance with GDPR and you know exactly how it’s being used. You can also see data breaches before they happen, and I’ll talk about that in another slide. There’s also an article that says, “I need record of processing activities. I need to log and I need to monitor operations and I need to know who’s processing personal data and who has access to those systems.” SQL Compliance Manager maintains auditing of servers and databases, including security, DDL, DML as well as define sensitive data. SQL Compliance Manager allows you to audit security access and log an attempt, so you can see who’s accessing information, as well as who’s logging in, whether it’s a privileged user, whether it’s a known user, or whether it might be a malicious user.

Article 33 talks about the notification of personal data breach to a supervisor authority. You need to be able to detect those breaches; you need have records to be able to assess the impact; you need to know how quickly you’re going to remedy it. In order to do that, SQL Compliance Manger allows you to set up alerts on your databases to be seen by who has access to your sensitive data, when they accessed it, what they accessed. It also allows you to rule out your normal privileged users from your audit. If you have systems admin or network admin that you know are going to access it and you don’t want to clog up your reports, you can rule them out and say, “Give me everything that’s happening outside of that information.” It allows you to quickly identify if someone is maliciously accessing your data and you can have alerts that are in place, that let you know the moment it starts happening and then moment that the information is accessed, to be able to crack it down, so that you don’t have to wait a full day to figure out what’s going on, like Equifax did.

There’s also an article that talks about data protection and impact assessment. This is assessing your risks and understanding what they are, as well as demonstrating and documenting your compliance with GDPR. SQL Compliance Manager allows you to report on elements that are being monitored. Just to kind of go in a nutshell, auditing your data with SQL Compliance Manager, SQL Compliance Manager allows you to detect failed logins – which is a potential sign of breach – monitor administrative activities and security changes, alert you to the database modifications, audit columns that you define as sensitive information, identify privileged users and track their activity separately from the other users in your system, report that information is being audited in accordance with several regulatory guidelines. Not only do we cover GDPR, but we cover HIPAA, PCI, FERPA, SOX, all of the regulatory guidelines when they come to auditing your information and understanding what’s being accessed, we have those regulatory guidelines in place.

We have additional products at IDERA for GDPR preparation as well. Beyond just the auditing that SQL Compliance Manager does, we have ER/Studio Enterprise Team Edition, which can help you document your data processes and incorporate data standards into your data model, you can create data glossaries that William was talking about in a previous slide. As I’ve stated here with this presentation, SQL Compliance Manager can help you to audit your information to make sure the wrong people aren’t accessing your data, as well as proving this to the auditors. SQL Safe Backup can help you encrypt your data and your backups. Encryption is an essential part of GDPR, which I didn’t cover in great detail because I wanted to focus a lot on Compliance Manager’s assets, but SQL Safe Backup does a lot of the encryption for you, so that your data can remain safe. SQL Inventory Manager can ensure that the servers are patched and up to date, so you don’t end up in a case like Equifax, where they had an out-of-date patch which gave them a big security hole that people were able to use maliciously. SQL Secure can audit privacy and encrypting standards.

For more details on the IDERA community website, under our blog, I have posted a Getting Prepared for GDPR as well Looking Towards 2018 and Understanding What GDPR’s Impact Is Going To Be and there’s also, you certainly can download a trial copy of SQL Compliance Manager at IDERA as well as any of the other products that I just mentioned previously in the slide.

At this point, I’m going to go ahead and hand the presentation back over to Eric so that we can ask some questions.

Eric Kavanagh: OK, good. You touched on a number of really interesting things there, Kim, one of which – I think this is kind of simple but it’s pretty clever – you talked about the detecting failed logins. It seems to me that’s a pretty good sign that someone’s up to no good right?

Kim Brushaber: Absolutely. If you see somebody who’s been trying to access and crack your password, that’s a very quick way to be able to say someone’s not doing what they should be. Maybe a couple times you might type your password incorrectly, but if you see 30 of those come through, that’s a bad sign.

Eric Kavanagh: Yeah. They key here is to set your alerts with the proper context. What else can you tell us about how to manage the process of setting up alerts and deactivating ones that aren’t doing what they should be doing and how much of that stuff can be automated?

Kim Brushaber: Compliance Manager does have a lot of configurable alerts, as well as reports that you can review. We go through your SQL traces and we have that automatically tracking and we have a lot of it that’s already pre-set up and predefined, but there’s certainly a significant amount of customization you can do as well.

Eric Kavanagh: William, I’ll bring you into this – it seems to me that’s one of the areas where we’re going to see machine learning to come into play over the next two to ten years or so, is looking at all the different possibilities. Looking at all the different ways that a system can optimize its efficiency, it’s effectiveness around issues like breaches and so forth. Is that your take as well?

William McKnight: Yeah, absolutely. I think that we’re building systems now that repair themselves. The 24 by 7 monitoring is starting to slip away and become a thing of the past, although we still need that kind of uptime. I think the systems are largely getting that built in and figuring out what it is that is wrong. Do we need to allocate more space here or what have you? Yeah, I think that’s definitely a part of our future. Anything out there that can be mapped to some steps of action, to take in response to something, is definitely vulnerable to artificial intelligence.

Eric Kavanagh: That’s a good point. I’ll throw one more question over at you, William, because I know you do a lot of research into this space. One of the things that I’ve been waiting for now for quite a while and I don’t think we’re there yet – I think we’re getting close, just from what I’ve been reading and thinking about it – is a day when there will be technology to absorb regulatory issues, the actual wording of these things, and map that to functionality and software. Like I say, we’re still a ways from that – I can’t imagine there’s not someone working on it. Have you come across anything like that, or are we still at a point where human beings need to look at the rules, really try and understand them, codify them in machine code, essentially, and then torque that over to their various applications?

William McKnight: Well, I certainly get the concept that you’re sharing here. I’m not familiar with anything going on towards a rollout in an environment that is related to that. I will say in general though, obviously we are starting to tell the machines not what to do but what the goal is of what we want to do and machines are getting a lot smarter about figuring out the details. I think once we get some more artificial intelligence in our organizations that it is quite possible that new regulations can be developed in concert with the AI that’s deployed inside of organizations such that they can roll out in the manner that you described in the future. For now, we’re not acting with that.

Eric Kavanagh: Here’s a question I’ll throw over to you, Kim, ’cause this is kind of interesting too. You talk about the average latency or the time someone who logs into your system hides and just waits – number of days an attacker stayed dormant within a network – detection is 200. I’m curious to know, what are your thoughts around how to improve that, first of all? But also, is there is a way to use this kind of rule to explore your own system? To explore your own data, to do a better job of keeping these kinds of folks out?

Kim Brushaber: Yeah, I think that obviously early detection is key. You need to figure out that these malicious sites are accessing your information and be able to lock it down. I think that in the other slides where we show that most organizations don’t have those policies in place. That’s why they’re sitting there. I think that if you actually had a policy in place to go through and lock down your access and make sure that the right people have access. Make sure that you’re rotating your keys on a regular basis and updating them. Make sure that your passwords are being updated regularly and doing those kinds of things, which seem pretty basic. Right now, most organizations aren’t even doing that, and to start to put those pieces in place will help you to get beyond this.

It means of course the hackers will get more crafty about it, but at the moment it’s easy, it’s like, “I’m going to look at the houses on the street that I feel like I want to break into, will those have alarm systems? Do they have a little alarm sign and that one has dogs? I’m going to go to one that doesn’t have an alarm sign, doesn’t have a dog and that’s the house I’m going to break into.” Well, they’re going to find out the companies that don’t have these patches in place and they don’t have the security in place and they aren’t updating their passwords and they’re going to go and hang out there and use your credit card on a gas station a couple times to make sure you haven’t shut it down and then when they can influence a big change, normally some sort of a political statement or otherwise is when you see them pop their heads up. Getting those policies in place, I think that at this point you can take some pretty minimal steps to be able to get ahead of this game.

Eric Kavanagh: That’s probably the best advice and I always hear this when we talk to folks who are in the security space or the regulatory space, that basics will cover 80 percent of your problem, and that’s a lot of ground to cover – that’s a good point. One of the attendees asked about if someone could expand on the business opportunities that could be mined from GDPR compliance efforts, I’m reminded to of Sarbanes-Oxley, and I guess, William, I’ll throw it over to you. As a consultant you’re always looking for ways to help your clients outside the scope of a particular project – at least if you’re a good consultant you’re doing that. When you talk to folks about GDPR, what are the ancillary benefits that you can tout that they will get if they engage in some project focused on that?

William McKnight: First of all, it’s important to note that the idea behind GDPR is not full rights to the citizen at all in. There’s the other side of GDPR which is, this is going to improve the trust that citizens have in our companies and it’s going to encourage them to do more business in the companies that are compliant. There are those ancillary benefits of actually accomplishing your GDPR, now internally, the data governance programs that we implement serve to facilitate all manner of initiatives, really, that are being kicked off within organizations and today, most by far, initiatives that are being kicked off inside of organizations. I’ve recently been doing some planning for 2018 with many of them, they have to do with data, a lot, they’re like 65 percent to 90 percent all about the data – when you’re talking about telematics or customer 360 program or a dashboard to monitor salespeople, it’s largely about the data. Anything that manages that data better, that puts it in a better architecture that names people that are the go-to people that can answer any and all questions about that data, that really care about like a data governance program would. Anything that gives us a data glossary – like Kim was talking about with her tools – anything that does that, it’s very helpful to making these initiatives much more efficient, de-risk them, shrink the time, shrink budget for the them and get us to an agile time to market a lot faster and good things for a company doing initiatives, which is all companies.

Eric Kavanagh: I love that concept of trust. I think trust is a very underappreciated reality in our world and frankly most business runs on trust – it really does when you get right down to it. I’ll throw it over to you just for some closing comments, Kim. I think one of the key value adds here is improving trust and fostering a culture of trust because that will not only have positive impacts on the company itself, on people inside the company per se, but also on what the public perceives because that kind of thing spills over, it seems to me, but what do you think?

Kim Brushaber: Yeah, I think when I talk to friends who work at Google or work at Facebook or some of the bigger, really high-profile organizations, they are not implementing nearly as many new features as they are at implementing security protocols and performance and scalability issues because they want their user experience to be one where they believe they can trust in that information. I think that companies have that responsibility as we continue to go forward to provide that kind of trust. I remember when people first started putting credit cards online and people are like, “Oh my god, I’m not going to give that information out there ’cause it’s not secure.”

And now, your credit card goes to every which way because you, in theory, think you can trust the company because it’s got a HTTPS certificate. Then you hear about the Target data breaches where credit cards, where they were like, “Oh, you better trade out your credit card because we let go of that information.” I think it’s a two-way sentiment. I think that individuals, while they want to be more trusting because it’s a lot easier, to be able to trust and have faith in this at large organizations, the large organizations have to step in and put these pieces in place so that they don’t injure the individual or you lose market share. People say, “Well you know what, I’m not going to shop at Target anymore, now I’m going to shop at Amazon.” I think trust is a big issue, although, like we said, 78 percent of people are still going to click on that link in an email, even though they know they might not. There’s a certain amount of protection of people, even when they do trust you.

Eric Kavanagh: That’s a good point. You know what, I’ll throw one last question over to you, William, or at least one more – we got some good ones coming in now. An attendee writes, “GDPR is moving identity management back to the customer, where it belongs. Equifax permanently damaged 149 million consumers,” very true, “contaminating the digital economy. What changes do you see happening in the U.S. regarding customer ownership with respect to identity management?”

William McKnight: Well, we’re always behind in the U.S. when it comes to this sort of thing, aren’t we? One hundred forty-nine million, that’s no drop in the bucket right there. It’s almost like terrorism, right? We’re just so used to, it’s just happening all the time. I think something needs to be done. I think GDPR, I like rights that it gives to citizens, but it doesn’t seem to be a priority – there’s a lot of other priorities and I don’t know where it’s going to go. I think, as I mentioned in ramifications slide that I had, that this signals a shift towards more rights by the consumer over their data. When that happens here in the U.S.? I don’t know, it could be up to five years off, to see something commensurate to GDPR happening here in the U.S. Just speculation at this point.

Eric Kavanagh: It’s a really good point and I think we are going to see more effort on this because, let’s face it, we’re moving to such a digital economy these days. And as a closing comment here, getting a tad philosophical, policy oriented, this is what concerns me the most about the move to a cashless society, because when cash goes away, if that happens, then everything is digital and every system can he hacked and every person’s identity can be stolen. It seems to me that’s a pretty big elephant in the room here, as we look down the pike to the future of identity management.

This is all great stuff, folks. Thanks to William McKnight for his time and attention today. Thank you to Kim Brushaber from IDERA. We do archive all these webcasts for later viewing, so feel free to come back, usually within just a few hours and the archive will be ready. With that, we’re going to bid you farewell, folks. Thanks again for your time and attention Take care. Bye-bye.