 Live from Las Vegas, it's the Cube. Covering Veritas Vision 2017, brought to you by Veritas. Las Vegas everybody, this is the Cube and we are here covering Veritas Vision 2017. It's the hashtag VTAS, V-T-A-S vision. And this is the day one of two days of coverage here. I'm with Stu Miniman, my name is Dave Vellante. Jane Allen and Jay Klein are here from PwC. Jane is a partner and principal and Jay is a partner. Folks, welcome to the Cube, good to see you. Thank you. So PwC, leading global consultancy, I would say one of the top three, four easily, about two, maybe even top one, right? I mean you guys are gold standard for global, you solve problems that most people can't even begin to touch except for a handful of companies. So, Jane, let's start with you. What's hot these days in your world? So I lead a practice, an information governance practice here at PwC, founded a lot of folks with technology, legal support, regulatory backgrounds and it pertains to all companies these days, right? How do you manage your data to manage all the risks and reap the benefits of it? Certainly a hot topic and certainly with new privacy regulations on board, cyber risk and just again all the benefits of data that companies are trying to take advantage of. It's been a growing consultancy practice and something that's very relevant to companies of all industries. And Jay, we've heard a lot today about GDPR and know it's something that you've been need deep in. What do people need to know about GDPR? I think GDPR boils down to one proposition, being able to prove that you have control over people's data. I think that summarizes the 72 different requirements of GDPR. Yeah, so GDPR for those of you who don't know general data protection regulation came out of the EU. One person on the Cube called it a socialist agenda. Yeah. But it's serious business and if you can't, I mean actually Jay, summarize what people should know about the exposure. I mean essentially you have to be able to identify personal information and be able to delete that personal information on request, right? For any European Union citizen. Resident or citizen. Right, okay so if somebody walks into Joe's pizza shop and says I want to sign up a bingo card to get mailings and your emailings, technically speaking that person, if they wanted to do business in the EU is responsible, is that right? You've got to know a 360 degree view of all the personal data that you have of your employees, your consumers, your customers. You've got to be able to produce evidence on demand that you have this level of control and whenever somebody comes in and asks for access to their data to correct it, to export it, to their email, or to erase it, you've got to know whether you can deny that request or do you have to fulfill it and you usually only have 30 days to fulfill it. So is this like one of the hotter topics going on in your world these days and what percent of your clients are actually prepared? I'll let Jay comment on how many are prepared but I think most companies frankly are trying to figure out how to be compliant and what is it they actually need to do but it is a hot topic. I think even before GDPR, the landscape was already complex. People are trying to respond to litigation investigations, retention requirements from regulations, cyber risk, how do we manage it and it's all about what data do we have, where is it and what are we doing with it and how are we controlling it and those questions are already there. GDPR highlights it and with the May 2018 deadline, I mean it's really putting the spotlight on it. Oh yeah, that's one little fact that we forgot to mention. The clock is ticking, we're down under a year. So how about customer readiness? I mean. I think when we crossed the one year milestone in May, a lot of boards got exercised. The phone started to ring off the hooks because they realized we only have one more budget cycle to get this done and so now I think they're realizing that because GDPR hits the tech stack and the IT budgets had already been planned for, the release cycles had already been put in place, they're now starting to ask, well we can't get everything done by next May, what are the most important high-risk things that we do need to get done and there's going to be more spillover work after May. I think this highlights something that was already present in terms of the need for cross-functional senior leadership to pay attention to this, right? This isn't just a legal or privacy topic, it isn't just an IT topic, this really hits across the organization and these folks need to work together. Yeah, Jane, could you help us kind of up-level a little bit? If I look at information governance, you mentioned it's super complex. You know, every company I talk to, they're deploying more and more SaaS in the keynote this morning, Veritas said, most of their customers have at least three clouds. We find, you know, absolutely, it's the strategy, especially if I start, oh, well, just different groups start using things then, how do I govern it? How do I even worry about security and backup and everything like that? How does this fit in the overall picture for most customers? Well, I guess that's what's interesting, right? There's no one right way of doing this, right? And so it depends on your business, your industry, your customer base, your geographic location and outreach and the data landscape. And you have to make smart decisions of what works within your corporate business culture even of what is it that we need to keep and how we need to keep it and enable, you know, our engineers, our users, customers to leverage data but also manage our risks. And there's just not one way to look at it, but again, it goes down to really knowing what control you have, what you have and where is it, right? But that's what's interesting, is for every company to figure out how is the best way for them to tackle it. So who's driving the information governance bust these days? I mean, with Sarbanes-Oxley, it was the CFO, with the federal rules of civil procedure, it was kind of the general counsel. Who's really sort of in charge today? I mean, depending on who owns in an organization, looks a little different, it's usually legal and or privacy and oftentimes they are within the same group. So a chief privacy officer, general counsel obviously involved, IT. Sometimes the compliance office, again, depending on how that's structured, but generally in that legal compliance privacy realm. Okay, and when I think about some of those previous generations, socks in particular, but also, I guess, FRCP, there was an effort within company, because the ROI was just like, oh, we got to do this. It was like, okay, what does it cost to not comply? They would sort of thread that needle. But there was always a faction that said, hey, we can, and consultancies were part of this, we can actually get value out of this. It's an opportunity to clean up your data, maybe to get rid of stuff, maybe you can reclaim some wasted space, et cetera, et cetera. Is that the way it is today with GDPR and maybe we could unpack that a little bit? Yeah, one of the first steps that you have to take for GDPR is to discover where all of your European personal data is. So data discovery effort. And in doing that, we've had a number of clients that for the first time, they've really put together a view of how they make money using data. And they're finding data, they're chief marketing officers, finding data they didn't know they had. And so now they're able to monetize that data if they can use it responsibly within the privacy regulations of GDPR. So marketing is oftentimes funding, helping IT and legal fund their GDPR efforts. And I think one of the other benefits is, if you have to go through this exercise to be compliant, but then you get additional insights in your data and you know where to invest more for those additional business opportunities, then at least hopefully you're reaping again more ROI off the effort. Well, I know the clock's ticking and there's a sort of virtual gund of organizations' heads, but getting into that whole value notion, monetization, most organizations that we talk to, they don't really have an understanding of how data fuels monetization. Not necessarily monetizing the data, but how it contributes to monetization. What do you see in the customer base? This is the biggest area, I think, where GDPR is going to morph after May of 2018. I think the companies that can protect their exposure to this regulation by going through the same processes to find out where their data is, they are positioned to monetize that data to take advantage of new market opportunities in Europe in particular. Okay, and by the way, we should mention that this actually, the law is in effect, it's just the penalties aren't being invoked at this point in times, right? So there was a year, one year of grace period, and I think a lot of people are thinking, well, maybe we'll get another year of grace period, it's going to be really interesting to see how that goes down, and presumably the EU's going to go after the big pockets, right? I mean, those are the guys who have to be most concerned about this, but what about that mid-size company? For your mid-size clients, what are you advising them that may not have the budgets of the big guys? We've been advising our clients that there are actually three ways that you can get hit by GDPR. The one that everybody's talking about is the famous 4% fine on your global revenues. That's what the regulators would impose on you if they discovered that you had an egregious violation of privacy. But there's another way that people aren't talking about that's going to be live on May 25th of 2018, and that's a new litigation risk for B2C, anybody in the B2C space, even if you're mid-size, if you violate the rights of a class of people, they can sue you on May 25th, and you can bet they're going to be law firms that are going to take advantage of this new situation. They can sue you as individuals. As a class of individuals. There's also, for people in the B2B space, we're seeing right away the contracting risk. In RFPs, they're saying as a conditioned bid for this work, you've got to be able to sign that you are GDPR compliant. So you'll be locked out of the European market. If you're B2B and you're not ready on May 28th. So we were talking off camera, and I was struggling with trying to understand the direct fit with technology, Jay, and I thought you had a good answer. So what's technology's role in all of this? I mean, technology, can it help us get out of this problem? There's two parts where technology is very important. First is just discovering where your data is. That takes a lot of technology tools based on your tech stack to be able to have an ongoing real-time data map. But the other one, the harder part, is responding to these individual rights requests to ask for where their data is, to correct it, to delete it, to have that 360 view of individuals throughout your information environment. I think that takes IT to a new level. It hits all parts of the tech stack. Right, because an individual can essentially say I need to know what you know about me, right? That's part of the difference. Exactly, and a lot of these companies that collect customer data and structured systems, they weren't really built for this type of exercise to go through and search for something and actually dispose of it. And so companies are having to think very tactically, okay, can I do this across all my different systems? And then certainly in unstructured data stores, again, what's there and how do we figure that out? So in the keynote this morning, we heard about GDPR, looked like I called it the doomsday clock, what was up on the wall. Can you bring back, how's Veritas doing? How are they helping customers with information governments and GDPR? Well, I think one of the really exciting things that they demoed and talked about there is some of the data scanning or data profiling information, whether it be the classification or reporting out in terms of what is in this unstructured storage. Again, in order for companies to figure out what it is that they need to do process and technology-wise is what do we have out there again? And they're giving and enabling customers with some of their tools to be able to get some insights there, which I think is really transformative. I think people have been talking about these things from either a legal discovery standpoint, certainly a cyber risk, and I think this is just really adding on. So again, these tools help enable all of them, but certainly for GDPR. You have to get this first step right, the data discovery and classification, because if you scope GDPR too big, your compliance costs are out of the roof. But if you scope it too small, your exposure is too big. So having a good discovery and classification approach is critical to the success of your GDPR program. Has the industry solved the classification problem? I mean, for years, you really struggled to classify data. You could classify maybe data in an email archive, but data became so distributed by its very nature. Has that problem been solved? I would say no, but I've certainly seen a huge uptick in companies actually finally just biting the bullet and getting themselves organized. But again, at least doing it because hey, we need to figure it out for GDPR and privacy. We need to figure it out for cybersecurity controls. We need to figure it out for e-discovery and just regular records management, how long we need to keep things. And so I think they recognize this satisfies a lot of different needs, but I don't know that there's an easy solution to it either. In the best practice, organizations have automated that presumably because otherwise it's not going to scale, right? I mean... In the long term, that's what they're seeking, right? But you need to get the structure right. So you need to have file plans and organization of the information that makes sense to your employees and the way you do work and then hopefully tie that back, knowing the data life cycle to be able to classify things based on role, based on access, based on data type. So there's a lot of upfront work, but ultimately that's the... So that's a taxonomical exercise? Is that right? Okay. But that's a heavy lift. And then it changes. It is, it is. But I think, again, there's multiple benefits to that. And then going forward, you've got things in order for all those reasons. But you can leverage the power of the technology and then your functional groups and what work they do. People know what work they do, how long it really needs to be kept. And if you kind of can marry those two things in the business, the technology side, you can get set up in the long term. And then you can automate the policies around data retention. Exactly. Now, what's your relationship specifically with Veritas? Well, you know, they're a client of ours, but we're also a client of theirs. So I guess we're friends on a number of different angles and whatnot, but our practice tends to, we are technology agnostic in general, but we definitely want to stay on top of the different leaders in the industry so that when we go to our clients, we can recommend, hey, these are the top two or three that we believe can help you based on your situation, based on your data landscape and be able to advise in that regard. So Veritas, between the backup tools, their e-discovery, and certainly some of the things they're doing information governance and GDPR, certainly one of the key providers that our clients should consider. So I've sort of set up this discussion with the little background of PWC, clearly one of the leading consultancies out there. I would point to your global footprint, your deep industry expertise, your understand technology, you've been around, you've got deep relationships. So other than those, what's the big difference, you know? Why PWC? And you can repeat some of those if you want, probably be more articulate than I was. I think one thing that's different is what we call the end-to-end approach where there might be other companies that have some of the qualities that you've talked about, but with GDPR, it hits across five to 10 different budgets in an enterprise and we'll take a company through a transformational journey across all of them. We have auditors and we have lawyers and technologists, forensic scientists, GDPR really hits across all the functions of the enterprise. Because of our scale, we can hit all of these, whereas other providers will take different slices of that. I would also add, you know, PWC looks at our clients as forever clients. We're not looking for a one transaction and see you later. I mean, we look at them in terms of, we want to be a firm that supports and partners them, whether it be on the consulting side, audit tax, whatnot. And so we look at that that way in terms of trying to support them. And maybe that's just one point solution, maybe it's broader, but we'll bring the right experts to the table that fits for that client. And so we always want to think about it that way. While we might have ways and approaches that we leverage, hey, if they've got a specific need or specific specialty, we'll bring the right experts to the firm. So that leads me to my last question, which is, so it sounds like GDPR and Jane in the context of that answer is not just a tactical sort of pain relief project. Is it part of the more strategic digital transformations? Are you able to make that connection or are people just in too much of a rush to fix the pain? No, Jane, I were talking about this earlier today. I mean, I'll use the example of some of the cloud transformation that companies are going through, right, if they haven't already, and thinking about their data and how they operate differently. And wait a minute, we don't need to forklift all our data over. Let's think about it and oh, by the way, let's make sure we're compliant with GDPR, right? So there's a number of different ways that you can kind of pull in different pieces that are helpful to clients. I think there are a number of different aspects to that that we were talking about. So it's certainly something front and center, but it's not a one time, let's check the box and move on, exercise either. Awesome, all right, we got to go. Thanks very much for coming over to meet you guys. All right, keep it right there, we'll be back with our next guest is theCUBE. We're live from Veritas Vision 2017 in Las Vegas. We'll be right back.