 live from Nice, France. It's theCUBE, covering Dotnext Conference 2017 Europe, brought to you by Nutanix. Hi, I'm Stu Miniman, and we're here at the Nutanix European Conference Dotnext, and being in Europe, one of the hot topics of conversation, leading up to May 2018, is, of course, GDPR. So, happy to welcome to the program two guests that are here talking about this. Fanka, Krumm-Mueller, and Nina Fasalief. Thank you so much for joining us today. So, Fanka, we'll start with you. You're a partner with OpenCities. Tell us a little bit about your background and what your organization does. Sure, so OpenCities is a consultancy. We work together with companies and businesses, helping them to understand the impact of policy and politics on their business, especially European politics and national politics of countries in Europe. We're based in Paris, and I'm here to talk about GDPR. All right, and Nina, your security and GDPR consultant, tell us a little bit about your background also. I used to work for a Volkswagen Group France, as CTO, and then as CISO, and then I was asked to work basically on GDPR and security as a consultant, because many companies want to be compliant by the due date of May 25th next year, and many companies are having a hard time, so I'm doing business analysis, audits, and creating roadmaps for GDPR. Yeah, that's great. Fanka, there's been many times when policy and technology come together, but GDPR feels like kind of this growing buzz. Those of us been around the industry, it was like, I've heard people, it's the new Y2K, it's this impending thing. There's a lot of uncertainty, it seemed, for something that has, there's a big legal document on it. Give us where people are, how are they feeling, how are you helping people go with it when there is so much uncertainty there. Yeah, so I mean, first of all, it's very interesting to know that a lot of companies, even in Europe, but also outside of Europe, who will be concerned by GDPR, are not even aware of the fact that this regulation exists and that they are concerned and they need to comply. And then the other half, roughly, it's unclear whether they will be able to comply by the deadline in May of next year, because it's a huge burden on a majority of the companies. They really have to review all of their processes, maybe do something new, get outside expertise on how to do so. So, and if they don't, they actually face huge fines from the European Union, which is obviously a way to try and incentivize these companies to do all that hard work to be able to comply. Yeah, Nina, as if IT organizations didn't have enough challenges to work with, it's like securities keeping most people pretty busy this day. So, where does GDPR fit into the discussion? How do they bring it up? Where in kind of the organization does it usually bubble up and which teams need to kind of address this? Well, GDPR actually concerns everyone, so really concerns the business, but IT has a big role to play in the sense that, for example, many companies don't know what applications they're running. So, I've seen three companies and they might be running, let's say, they say, okay, we're running on the cloud for the applications, but when they start looking at it with shadow IT, they might be running the triple. So, it's actually good because it's forcing best practice, it's forcing inventories, audits, and it's cutting costs at the same time. Yeah, I moderated a customer panel towards the beginning of the week here and there was one, in a research organization, they like, look, we've anonymized all our data. I think we're pretty good. One that was like, well, I'm doing a lot of cloud stuff. Amazon will take care of this for me, or something like this. But if you ask all of them, are you ready? Most of them kind of said, yeah, we think we're ready. What do you find, Nina? Are most companies really ready? I'd say most are not. I find that in the UK, they've understood most companies that they really need to be thinking about at the big companies. Some of the small companies are just waking up. In the US, they're really thinking about it too, how it's going to touch them, because all services and goods concerning European citizens are concerned. So companies are really, and executives are waking up. And for France, for example, I'd say about a third of the companies realize it's going to really hit them, and there's many others that are not ready at all. Yeah, you mentioned, Franca, that half of all companies barely heard about this. And absolutely, most companies today are global. Even if you're some local place, you have customers and everything. So what's the step beyond becoming aware? Where do people need to go? Right, I mean, there's several things they should be doing when they start to realize that they are actually concerned by this regulation. But one of the most important things is to just educate yourself about it. What do I need to do? Do relevant people within the company know that we need to respond to this? Are they aware that something needs to be done quickly? And then conduct internal information audit, like what data do we hold? Why do we hold it? Do we really need it? What are our processes? And then maybe appoint a data protection officer, somebody who is on the inside of the company and will have the legal responsibility to inform them about how to be able to comply with GDPR. Things like these, I think, are the most important things to do in the very beginning. Yeah, Nina, I've heard the most from companies that handle data protection, IBM, Veritas, Veeam, all ones that I've heard kind of a strong push from them. Is it a company like Nutanix? Do they fit into the picture? Is it just something that they're part of the landscape and they're trying to help be good citizens to make sure their customers are aware? What's from a technology standpoint? From my perspective, it concerns every technological company that's running a service concerning European citizens. So of course it concerns Nutanix. And yesterday we had a really great session for executives to explain, and quite a few of them were actually saying, hey, I didn't know GDPR really concerns me, and so it's good that Nutanix realized they need, they also need to wake up. And I mean, it does even concern companies who are not based in the EU, but simply by the fact of holding data that concerns EU residents, they need to combine. That's something which is obviously extremely important because it affects companies globally, even though they might think we're not based in the EU, we don't have any headquarters in the EU, we're totally not concerned. Well, yes, they are as soon as they hold EU residents data. Yeah, well, the clock's been ticking. I mean, it was only towards the beginning of this year that I kind of first heard about GDPR, I've done a number of interviews and talked to many companies. Any chance it's going to get delayed or are the lawsuits just going to start once we hit tonight? Well, I guess the authorities who will be responsible for overseeing where their companies are compliant, if there is a data breach or something like this happens, I think they will really look at the processes that companies have put into place and if there is a good amount of goodwill and work has been done and it's a minor breach to a certain extent, they will probably be lenient in the very beginning because they know what burden it is on companies to comply. On the other hand, obviously they need to also set a precedent and show that they're actually serious about enforcing this regulation. So depending on what company they have, if the Amazons and the Facebooks don't comply, that will be a huge problem. If a small business doesn't comply, that's maybe a little bit different. Yeah, yeah, just following up on that, yeah, boy, companies have so many different challenges that they need to work through. Any kind of first steps that they need to make sure that they're doing to kind of meet with what is expected? Well, I'd say just for them to be compliant to start with is to find out what they're really running on systems and on the cloud, applications, to do inventories, to do business assessments, to see what risk is involved around it. And I find that most companies that are starting to wake up, the first thing they do is they realize they don't know what they're running. So operations has a lot of work to do and the security staff. The other question I have is, we spent the last few years, a lot of companies are getting excited about what they can do with information. Is this going to be now a headwind that's going to stop companies and say, wait, hold on, maybe I shouldn't be holding on to everything or is it just having kind of the right governments in place to make sure I have protections for personal information as opposed to more anonymized information? I would think that it's the governance. It will make a big difference in many companies for the governance of IT. It might change the roles of CIOs and operation staff. I don't know, what do you think? Yeah, I mean, I think companies will have to reevaluate what kind of data do they hold and for what purpose. And ultimately, GDPR actually really introduces this principle of you need to have, first of all, consent to hold the data and then second, it needs to be data that you really need for your operations and to deliver the service or whatever you're delivering. So if there is no good reason for you to hold certain data, then you're actually strictly speaking, not even allowed to do so. So I think that should probably change a little bit how companies view the type of data that they hold and for how long. Yeah, and I've even heard, we talked about some of the global impact because even if this is the EU, but it affects people that work there, but other governments are looking and might copy that if this becomes kind of the template to go forward. Right, and we've seen already, I think South Africa, Singapore have published papers that are relatively similar. And it does make sense. It's a very, this regulation was negotiated for four years in the EU, so it took some time to agree. And if it's globally applicable and if it's extremely strict and high standard, it makes sense that it's being copied. All right, I want to give you both the final word as to kind of takeaways for this topic. Well, I'd say if anybody's thinking about GDPR, I know there are 99 articles, but in most companies, like 30 to 40 really concern the company. Not to be scared, you need to start from something and just to see what really concerns you. And I think the most important thing to know is that there are many legal and IT experts out there who really know this topic, which is very technical, extremely well. So it's probably a good idea to get outside consultants, look at your processes and how you should go about things. Nina and Fanka, I think that's part of the reason that Nutanix brought you in is to socialize some of their customers and even some of their executives with the expertise that you bring. So thank you so much for sharing with our audience. We'll be back with more coverage here. Getting towards the end of two days of live coverage from Nutanix.next, Indies France. I'm Stu Miniman and you're watching theCUBE.