
As we continue to inch closer to the EU's
General Data Protection Regulation (GDPR), organizations and executives both in
Europe and other countries-including the United States-are gearing up for these
significant regulatory changes concerning data privacy. There is great concern
about this from organizations worldwide, since the GDPR becomes effective on
May 25, 2018, and will have a significant impact on how organizations address
how they handle sensitive data. Oksana Sokolovsky, CEO of Io-Tahoe, shares her insights on this
critical topic.
VMblog: What
are the main issues and challenges that companies must prepare for in relation
to the pending legislative changes due to GDPR?
Oksana Sokolovsky: The GDPR is far from just another privacy regulation. Not only is it
extremely complex in terms of regulation, it is also the most important change
in data privacy regulations that has happened in the last two decades. One
major concern that organizations in practically every industry must figure out
how to manage is the reality of increasing data volumes. Over time, many organizations
amass an unwieldy amount of data, and its footprint is difficult to manage. Another
issue is the collection of confidential personal information, it is incumbent
on organizations to know how to effectively track and monitor how this sensitive
data is managed throughout the enterprise. So with GDPR poised to go into
effect shortly, a big concern for companies worldwide is that they must tackle
the challenge of managing this personally identifiable information and
sensitive data. That means discovering it, understanding each and every
instance of it, and then being aware of its flow throughout the enterprise-all
in all, is a daunting undertaking.
VMblog: There
isn't much time left before the regulation takes effect in May. What do
companies need to worry about in terms of non-compliance?
Sokolovsky: With only a few months remaining before companies must start abiding
by the GDPR regulations, there are indeed concerns about achieving compliance
in the time left, especially when you consider the very steep financial penalties
for non-compliance. Companies that are not GDPR-compliant will be fined either 4
percent of the organization's total global revenue or €20 million ($23.5
million), whichever is larger-they may also face criminal charges. Companies
also need to be aware that even if they aren't based in the European Union,
they may still need to adhere to the new regulations. GDPR applies not only to
business entities with a physical presence in the EU but also to companies
conducting business with EU residents-even if they are located outside Europe,
including in the United States. In short, if your company markets products or
services to EU residents, even online, then you will be subject to the GDPR.
VMblog: What
types of new questions and concerns does the GDPR raise for affected companies?
Sokolovsky: The regulation takes many businesses and executives into unfamiliar territory,
since it mandates a massive shift from the current regulatory requirements. An
example of the types of issues that companies now need to consider is that the
regulation requires all companies that have more than 250 employees to
designate a Data Protection Officer (DPO) to report into the company's top
management to help ensure compliance. So in addition to the financial impact of
this legally required new hire and the penalties to organizations that fail to
appoint a DPO (who by law must be independent), companies must also consider how
they will manage and protect their most valuable information in the
increasingly likely event of a data breach. DPOs are responsible for quickly reporting
any suspected data breaches-within 72 hours-which is a big change from today's
requirements. With this in mind, some questions that companies should currently
be exploring are: If my company experiences a data breach, how would it affect
the company's reputation, as well as senior management's reputation? How would
customer retention and new customer acquisition be affected? Would customers (both
existing and potential) lose confidence in the company's data-protection ability,
especially when it comes to safeguarding their personal identifiable information
and sensitive data? And looking ahead, how would such a breach impact long-term
business performance and future sales?
VMblog: Clearly,
businesses are now tasked to rethink how they manage and protect sensitive data.
This triggers other interrelated issues, depending on the type of business you
have. Will some verticals face especially tough challenges?
Sokolovsky: The fact is that all verticals need to be cognizant of the upcoming
regulatory changes. The GDPR applies to any organization with large volumes of
data-regardless of vertical and regardless of whether they have a physical
presence in the EU-that fits the criteria of conducting business with or
marketing to EU residents. All verticals that fit these criteria only have
until May 25, 2018 to ensure that they are compliant companywide with GDPR. By
taking action now to put the appropriate strategies in place, organizations can
reduce the risk and burden associated with noncompliance.
VMblog: What
types of platforms or strategies are available to help executives and companies
face these upcoming challenges?
Sokolovsky: Io-Tahoe recently launched a new offering that helps customers address
GDPR requirements quickly and comprehensively. In particular, there are two facets
of the GDPR that the new solution addresses: Article 9, which is the "Processing
of Special Categories of Personal Data," and Article 17, which is the "Right to
Erasure" or "Right to be Forgotten." This machine learning-driven solution effectively
supports these GDPR requirements using unique sensitive data discovery capabilities..
VMblog: How
does the solution work, exactly?
Sokolovsky: Io-Tahoe specializes in two areas: first, it enables companies to
discover where their sensitive data resides across their entire heterogeneous
technological landscape. Once these assets are discovered, it helps businesses
apply appropriate controls. The result is that organizations no longer have to "hope
for the best" with manual methodologies that are both time-consuming and
potentially error-prone. Instead of being under-prepared and having to face the
consequences of GDPR noncompliance, companies that use Io-Tahoe's solution know
not only where their data resides, but also how it flows through the company. By
helping users understand each and every instance of their sensitive data, companies
take a critical step toward addressing GDPR. Io-Tahoe also facilitates the
ability to manage and govern this sensitive data on a regular and ongoing
basis.
VMblog: Why
is data discovery so important in preparing for GDPR?
Sokolovsky: Data discovery is the fundamental requirement that must precede all
other data disciplines and provides the foundation for regulatory compliance. Ultimately,
companies that begin with data discovery are better positioned to not only
analyze data, but also to glean insights needed for business intelligence. Once
sensitive data is identified and its flow illuminated throughout the
enterprise, organizations can then move forward to take the needed next steps, which
include data monitoring. It doesn't matter if the data is stored in a conventional
relational database management system or in a data lake platform-either way, Io-Tahoe's
GDPR offering lets companies easily auto-discover the location and movement of critical
data wherever it resides in their organization.
VMblog: Is
there still enough time for companies to prepare for GDPR?
Sokolovsky: Timing is tight with the clock ticking until May 25, especially
because the regulation is so complicated. That said, the right technology
solution can go a long way in helping enterprises quickly prepare to achieve
GDPR compliance. It's a significant task for most organizations, but the
worries can potentially be reduced-or in some cases even eliminated-if the
appropriate technologies and strategies are deployed now.
##
Oksana Sokolovsky is an ex Wall Street executive turned entrepreneur; an experienced CEO who has achieved early stage acquisition. Sokolovsky is passionate about developing disruptive technology. Her technology expertise combined with business acumen, allows her to bring a unique perspective to developing innovative products, commercializing them, and taking them to market. She is a technologist with experience running large IT departments within leading global Financial Services firms, establishing and transforming technology functions, and leading global high performing teams. In her 20+ years technology career, Sokolovsky has held a number of senior roles at JPMorgan Chase, Morgan Stanley, and Deutsche Bank, as well as United Health Care, Instinet, and Barnes and Noble. Most recently, Sokolovsky built disruptive data discovery technology, which was acquired by Centrica's Io-Tahoe.