IT Briefcase Exclusive Interview: The GDPR is not just another run-of-the-mill privacy regulation

The pending European Union’s (EU) General Data Protection Regulation (GDPR) is top of mind with many business and IT executives not only in Europe, but in the U.S. and other countries/geographies as well.  I recently had the opportunity to sit down with Oksana Sokolovsky, CEO of Io-Tahoe, to discuss this critical topic.

• Q. Why is there such great concern?

A. The European Union’s (EU) General Data Protection Regulation (GDPR) becomes effective on 25 May 2018, and will have a significant impact on organizations worldwide.

Before addressing the specifics of the regulation, part of the concern is linked to the increasing data volumes that organizations have amassed over time, creating a footprint which has become difficult to manage. The data may relate to personal identifiable or confidential information, which the organizations continue to amass, but struggle to monitor or track how the sensitive data moves through the enterprise. With the pending regulation, organizations must now manage this data – they need to discover it, understand each and every instance, and how it flows through the organization. This alone is a challenging task.

The GDPR is a complex piece of regulation and it’s the most important change in data privacy regulations in 20 years. There are concerns regarding the ability to achieve compliance in the remaining timeframe of approximately four months, because of the financial implications of non-compliance. The financial penalty will be €20 million/$23.5 million or 4 percent of the company’s total global revenue, (whichever is larger) and/or criminal charges. The regulation applies to all companies that conduct business with EU residents whether they have a physical presence in the EU, or are located outside Europe, but still market to EU residents. For example, any US company conducting business with EU residents, even if only online, is subject to the GDPR.

For many organizations, these factors collectively are enough to cause concern, but there is the added pressure that this regulation is taking many businesses and their executives into uncharted waters. For example, the regulation mandates that all companies with over 250 employees must appoint a Data Protection Officer (DPO) that must be, by law, independent and will report into the highest level of management of the company to ensure compliance. Besides the hiring costs or the obvious penalties associated with failure to appoint a DPO, executives must also consider the management and protection of the intangible and most valuable aspects of their businesses, should a data breach occur. Given that a DPO must report any suspected data breaches within 72 hours, which is a tremendous shift from current regulatory requirements, this poses a different set of questions and concerns. For example, how would this impact the company’s reputation and those of the executives running it? What would be the impact on customer retention and acquisition? Would existing and potential customers lose confidence in the company’s ability to protect their data, particularly their personal (sensitive) data? In the long-term how would such a scenario impact business performance and future sales?

The regulation coming into effect has tasked businesses to rethink how they the manage and protect data. This has triggered other intricate and interrelated components, which can weigh heavy on the minds of the executives.

• Q. Are there specific verticals that will face greater challenges than others?

A. The GDPR applies, regardless of vertical, to any organization with enormous volumes of data; and that conducts business with EU residents, whether they have a physical presence in the EU, or are located outside Europe, but still market to EU residents. These organizations must ensure companywide compliance with GDPR – by 25 May 2018. However, the burden and risks associated with noncompliance can still be lessened if executives act now to implement the appropriate strategies to help reach compliance.

• Q. Io-Tahoe recently announced a new offering focused on addressing GDPR – could you please explain?

A. In November 2017, Io-Tahoe launched a new offering intended specifically for enabling customers to quickly and comprehensively address the GDPR requirements. Facets of the GDPR addressed by the new Io-Tahoe solution include Article 9 (Processing of Special Categories of Personal Data) and Article 17 (Right to Erasure/Right to be Forgotten). The latest offering of Io-Tahoe’s machine learning-based solution robustly supports these requirements with its unique sensitive data discovery and data cataloguing capabilities.

As mentioned, ensuring compliance with the GDPR is a significant task for most organizations. However, this can be reduced – even eliminated – if the appropriate strategies and technologies are deployed now. With Io-Tahoe, organizations need not depend on time consuming and potentially error-prone manual methodologies, that leave them inadequately prepared and dangerously exposed to GDPR noncompliance and the resulting consequences. Io-Tahoe will enable organizations to discover sensitive data across a heterogenous technological landscape and allow organizations to apply appropriate controls to the discovered assets. Knowing where the data is and how it flows through the enterprise; and understanding each and every instance of the sensitive data is a critical step towards addressing the regulation. Additionally, enabling organizations with the ability to govern this data on an ongoing basis is the next important step – it is one that Io-Tahoe can help organizations with.

Irrespective of whether sensitive personal data is stored in conventional relational database management systems or data lake platforms, Io-Tahoe’s GDPR offering enables companies to auto-discover the location, movement and flow of sensitive data throughout their organization. Achieving this is particularly significant for organizations because data discovery is the fundamental requirement for all other data disciplines. Organizations can then take the necessary next steps, such as data monitoring; once the data and how it flows through the enterprise has been identified. Ultimately, starting with data discovery better positions organizations to analyse the data and glean the insights required for business intelligence. Of course, data discovery also provides a foundation for regulatory compliance.

The GDPR is not just another run-of-the-mill privacy regulation. It is complicated, and the clock is ticking. However, armed with knowledge, a proactive plan and the right technology solutions, enterprises can still achieve GDPR compliance.

To learn more, we would encourage your readers to visit: https://io-tahoe.com/gdpr/.

Oksana Sokolovsky, CEO, Io-Tahoe

Oksana Sokolovsky is an ex Wall Street executive turned entrepreneur; an experienced CEO who has achieved early stage acquisition.  Sokolovsky is passionate about developing disruptive technology. Her technology expertise combined with business acumen, allows her to bring a unique perspective to developing innovative products, commercializing them, and taking them to market. She is a technologist with experience running large IT departments within leading global Financial Services firms, establishing and transforming technology functions, and leading global high performing teams. In her 20+ years technology career, Sokolovsky has held a number of senior roles at JPMorgan Chase, Morgan Stanley, and Deutsche Bank, as well as United Health Care, Instinet, and Barnes and Nobles.com. Most recently, Sokolovsky built disruptive data discovery technology, which was acquired by Centrica’s Io-Tahoe (www.io-tahoe.com).