As we continue to inch closer to the EU's General Data Protection Regulation (GDPR), organizations and executives both in Europe and other countries-including the United States-are gearing up for these significant regulatory changes concerning data privacy. There is great concern about this from organizations worldwide, since the GDPR becomes effective on May 25, 2018, and will have a significant impact on how organizations address how they handle sensitive data. Oksana Sokolovsky, CEO of Io-Tahoe, shares her insights on this critical topic.

VMblog:  What are the main issues and challenges that companies must prepare for in relation to the pending legislative changes due to GDPR?

Oksana Sokolovsky:  The GDPR is far from just another privacy regulation. Not only is it extremely complex in terms of regulation, it is also the most important change in data privacy regulations that has happened in the last two decades. One major concern that organizations in practically every industry must figure out how to manage is the reality of increasing data volumes. Over time, many organizations amass an unwieldy amount of data, and its footprint is difficult to manage. Another issue is the collection of confidential personal information, it is incumbent on organizations to know how to effectively track and monitor how this sensitive data is managed throughout the enterprise. So with GDPR poised to go into effect shortly, a big concern for companies worldwide is that they must tackle the challenge of managing this personally identifiable information and sensitive data. That means discovering it, understanding each and every instance of it, and then being aware of its flow throughout the enterprise-all in all, is a daunting undertaking.

VMblog:  There isn't much time left before the regulation takes effect in May.  What do companies need to worry about in terms of non-compliance?

Sokolovsky:  With only a few months remaining before companies must start abiding by the GDPR regulations, there are indeed concerns about achieving compliance in the time left, especially when you consider the very steep financial penalties for non-compliance. Companies that are not GDPR-compliant will be fined either 4 percent of the organization's total global revenue or €20 million ($23.5 million), whichever is larger-they may also face criminal charges. Companies also need to be aware that even if they aren't based in the European Union, they may still need to adhere to the new regulations. GDPR applies not only to business entities with a physical presence in the EU but also to companies conducting business with EU residents-even if they are located outside Europe, including in the United States. In short, if your company markets products or services to EU residents, even online, then you will be subject to the GDPR.

VMblog:  What types of new questions and concerns does the GDPR raise for affected companies?

Sokolovsky:  The regulation takes many businesses and executives into unfamiliar territory, since it mandates a massive shift from the current regulatory requirements. An example of the types of issues that companies now need to consider is that the regulation requires all companies that have more than 250 employees to designate a Data Protection Officer (DPO) to report into the company's top management to help ensure compliance. So in addition to the financial impact of this legally required new hire and the penalties to organizations that fail to appoint a DPO (who by law must be independent), companies must also consider how they will manage and protect their most valuable information in the increasingly likely event of a data breach. DPOs are responsible for quickly reporting any suspected data breaches-within 72 hours-which is a big change from today's requirements. With this in mind, some questions that companies should currently be exploring are: If my company experiences a data breach, how would it affect the company's reputation, as well as senior management's reputation? How would customer retention and new customer acquisition be affected? Would customers (both existing and potential) lose confidence in the company's data-protection ability, especially when it comes to safeguarding their personal identifiable information and sensitive data? And looking ahead, how would such a breach impact long-term business performance and future sales?

VMblog:  Clearly, businesses are now tasked to rethink how they manage and protect sensitive data.  This triggers other interrelated issues, depending on the type of business you have.  Will some verticals face especially tough challenges?

Sokolovsky:  The fact is that all verticals need to be cognizant of the upcoming regulatory changes. The GDPR applies to any organization with large volumes of data-regardless of vertical and regardless of whether they have a physical presence in the EU-that fits the criteria of conducting business with or marketing to EU residents. All verticals that fit these criteria only have until May 25, 2018 to ensure that they are compliant companywide with GDPR. By taking action now to put the appropriate strategies in place, organizations can reduce the risk and burden associated with noncompliance.

VMblog:  What types of platforms or strategies are available to help executives and companies face these upcoming challenges?

Sokolovsky:  Io-Tahoe recently launched a new offering that helps customers address GDPR requirements quickly and comprehensively. In particular, there are two facets of the GDPR that the new solution addresses: Article 9, which is the "Processing of Special Categories of Personal Data," and Article 17, which is the "Right to Erasure" or "Right to be Forgotten." This machine learning-driven solution effectively supports these GDPR requirements using unique sensitive data discovery capabilities..

VMblog:  How does the solution work, exactly?

Sokolovsky:  Io-Tahoe specializes in two areas: first, it enables companies to discover where their sensitive data resides across their entire heterogeneous technological landscape. Once these assets are discovered, it helps businesses apply appropriate controls. The result is that organizations no longer have to "hope for the best" with manual methodologies that are both time-consuming and potentially error-prone. Instead of being under-prepared and having to face the consequences of GDPR noncompliance, companies that use Io-Tahoe's solution know not only where their data resides, but also how it flows through the company. By helping users understand each and every instance of their sensitive data, companies take a critical step toward addressing GDPR. Io-Tahoe also facilitates the ability to manage and govern this sensitive data on a regular and ongoing basis. 

Sokolovsky:  Data discovery is the fundamental requirement that must precede all other data disciplines and provides the foundation for regulatory compliance. Ultimately, companies that begin with data discovery are better positioned to not only analyze data, but also to glean insights needed for business intelligence. Once sensitive data is identified and its flow illuminated throughout the enterprise, organizations can then move forward to take the needed next steps, which include data monitoring. It doesn't matter if the data is stored in a conventional relational database management system or in a data lake platform-either way, Io-Tahoe's GDPR offering lets companies easily auto-discover the location and movement of critical data wherever it resides in their organization.

VMblog:  Is there still enough time for companies to prepare for GDPR?

Sokolovsky:  Timing is tight with the clock ticking until May 25, especially because the regulation is so complicated. That said, the right technology solution can go a long way in helping enterprises quickly prepare to achieve GDPR compliance. It's a significant task for most organizations, but the worries can potentially be reduced-or in some cases even eliminated-if the appropriate technologies and strategies are deployed now.

Oksana Sokolovsky is an ex Wall Street executive turned entrepreneur; an experienced CEO who has achieved early stage acquisition.  Sokolovsky is passionate about developing disruptive technology. Her technology expertise combined with business acumen, allows her to bring a unique perspective to developing innovative products, commercializing them, and taking them to market. She is a technologist with experience running large IT departments within leading global Financial Services firms, establishing and transforming technology functions, and leading global high performing teams. In her 20+ years technology career, Sokolovsky has held a number of senior roles at JPMorgan Chase, Morgan Stanley, and Deutsche Bank, as well as United Health Care, Instinet, and Barnes and Noble. Most recently, Sokolovsky built disruptive data discovery technology, which was acquired by Centrica's Io-Tahoe.