 Live from Berlin, Germany. It's theCUBE, covering NetApp Insight 2017. Brought to you by NetApp. Welcome back to theCUBE's live coverage of NetApp Insight 2017 here in Berlin, Germany. I'm your host, Rebecca Knight, along with my co-host, Peter Burris. We're joined by Sheila Fitzpatrick. She's the Chief Privacy Officer of NetApp and Paul Stringfellow, who is a technical director at Gardner Systems. Sheila, Paul, thanks so much for joining us. Thank you for inviting us. So I want to talk about data privacy. The general data protection regulation, the EU's forthcoming laws, GDPR, are going to take effect in May of next year. They represent a huge fundamental change about the way the companies use data. Can you just lay this, set the scene for our viewers and explain what these changes mean? Sure, happy to. So as you said, GDPR is the newest regulation. It will replace the current EU directive. Goes into effect May 25th in 2018. It has some fundamental changes that are massively different than any other data privacy laws you've ever seen. First and foremost, it is a legal compliance and business issue as opposed to a technology issue. It's also the first extraterritorial regulation, meaning it will apply to any organization anywhere in the world, regardless of whether or not they have a presence in Europe, but if they provide goods and services to an EU resident, or they have a website that EU residents would go to to enter data, they are going to have to comply with GDPR and that is a massive change for companies. Not to mention the sanctions. The sanctions can be equal to 20 million euro or 4% of a company's annual global turnover. Pretty phenomenal sanctions. So there are a lot of fundamental changes, but those are probably the biggest right there. So what are some of the biggest challenges that companies are, I mean, you talked about the threat of sanctions and just the massive implications of what companies need to do to prepare. So to really prepare, as I'm talking to customers, they really need, unfortunately, a lot of companies are just thinking about security and they're thinking, well, as long as we have encryption, as long as we have tokenization, as long as we're locking down that data, we're going to be okay. I'm saying, no, it first and foremost starts with building that legal compliance program. What does your data privacy program look like? What personal data are you collecting? Why are you collecting it? Do you have the legal right to collect it? Part of GDPR requires unambiguous, explicit, freely given consent. So companies can no longer force or imply consent. You know, a lot of times when you go onto websites, the terms and conditions are so impossible to understand that people just tip about, yeah. Well, under GDPR, that'll no longer be valid because it has to be very transparent, very easily understandable, very readable. And people have to know what organizations are doing with their data. And it puts ownership and more control of data back into the hands of the data subject, as opposed to the organizations that are collecting data. So those are some of the fundamental changes for the cloud environment, for instance, for a lot of big hyperscalers, data, GDPR now puts obligations on data processors, which is very different from the current regulation. So that's going to be a fundamental change of business for a lot of organizations. Now, is it just customers, or is it customers and employees as well? It's customers, employees, suppliers, it's any personal data that an organization collects regardless of the relationship. Yeah. So what does it mean? Does it mean that I'm renting your data? Does it mean that I, because you now own it, it's not me that own it. But what are some of the implications of how folks are going to monetize some of those resources? So what it actually means is, as an organization that's collecting data, you have to have a legal and valid business reason for needing that data. So part of GDPR requires what's called data minimization. You should only be collecting the minimal amount of data you need in order to provide the service you're going to provide or manage the relationship you're going to manage. And you are never as an organization the owner of that data. You're the data steward. So I am giving you permission to use my data for a very specific reason. You can't take liberties with that data. You can't do what I call scope creep, which is once you have the data, oh, I can do whatever I want with that data. No, you can't. Unless I have consented to it, you cannot use that data. And so that is going to be a major change for organizations to deal with. And it doesn't matter if it's your employee data, your customer data, your partner data, your alternative worker data, your supplier data, whichever data you have, you better be transparent about that data. So Sheila, you haven't once mentioned technology. Paul, how does this, what does this mean from a technology perspective? So I suppose it's my job to mention technology. So Sheila will tell you that GDPR it should not be driven by IT because it's not an IT problem. It's absolutely a legal and compliance issue. However, I think there's a real, there's a technology problem in there. So for lots of the things that Sheila's talking about in terms of understanding your data, in terms of being able to find data, being able to remove data when you don't need to use it, that's absolutely a technology problem. And I think actually maybe some of you won't hear said very often, I'm a real fan of GDPR. I think it's a long overdue. It's probably because Sheila's been beating me around the head for the last 12 months about it. But I think it's one of those things long overdue to all of us within enterprises, within business who hold and look after data because what we've done traditionally is that we just collected tons and tons of data and we bought storage because storage can be relatively cheap. We're moving things to the cloud and we've got absolutely no control, no management, no understanding of what that data is, where it is, who has access to it. Does anybody even access it? I'm paying for it, does anybody even use it? And I think what this is, for me if GDPR wasn't a regulatory, a regulatory thing that we had to do, I think it's a set of really good practices that as organizations, we should be looking to follow anyway. And technology plays a small part in that, you know, it will enable organizations to understand the data better, it will enable those organizations to be able to find information as and when they need it. When somebody makes a subject access request, how are you going to find that data without appropriate technology? But I think first and foremost, it's something that is forcing organizations to look at the way they culturally to look after data within their business. You know, this is no longer about, let me just keep things forever and I won't worry about it. This is a cultural shift that says, data is absolutely an asset in your business. But as Sheila actually mentioned before and something I'll pinch in future, that the data is not mine, I'm just a custodian of that data while you allow me to be so. So I should treat that like anything else I'm looking after on your behalf. So I think it's those kind of fundamental shifts that will drive technology adoption, no doubt, to allow you to do that. But actually, it's much more of a cultural shift in a way that we think of data and a way that we manage data in our businesses. Well you're talking about it as this regulation that is long overdue and it will cause this cultural shift. So what will be different in the way that companies do business and the way that they treat their customer data and their customer's privacy? And their employee's privacy too, as you pointed out. Well, part of the difference is going to be that need for transparency. So companies are going to have to be very upfront about what they're doing with the data, as Paul said. You know, why are they collecting that data? And they need to think differently about the need for data instead of collecting massive amount of data that you really don't need. They need to take a step back and say, this is the type of relationship I'm trying to manage, whether it's an employment relationship, whether it's a customer relationship, whether it's a partner relationship. What is the minimum amount of information I need in order to manage that relationship? So if I have an employee, for instance, I don't need to know what my employee does on their day off. Maybe that's a nice thing to know because I think, well, maybe we can offer them a membership to a gym because they like to work out. That's not a must-have. That's a nice to have. And GDPR is going to force must-haves. In order to manage the employment relationship, I have to be able to pay you. I have to be able to give you a job. I have to be able to provide benefits. I have to be able to provide performance evaluations and other requirements. But if it's not legally required, I don't need that data. And so it's going to change the way companies think about developing programs, policies, even technology. As they start to think about how they're developing new technology, what data do they need to make this technology work? And technology has actually driven the need for more privacy laws. If you think about IoT, artificial intelligence, cloud, absolutely great technology, but from a privacy perspective, the privacy was never a part of the planning process. In fact, in many respects, it was the exact opposite. There are a whole bunch of business models. I mean, if you think about it in the technology industry, there's two fundamental business models. There's the ad-based business model, which is give us all your data and we'll figure out a way to monetize it. There's a transaction-based business model, which says we'll provide you a service and you pay us and we promise to do something and only something with your data. And it's a difference between the way Google and Facebook work and say Apple and Microsoft work. So how is this going to impact these business models and ways of thinking about engaging customers, at least where GDPR is the governing model? Well, it is going to force a fundamental change in the business model. So the companies that you mentioned that their entire business model is based on the collection and aggregation of data and in some cases, the selling of personal data. Some might say screwing you. Some might definitely say that, especially if you're a privacy attorney, you might say that. But they offer fabulous services and people willingly give up their privacy. That's part of the problem, is that they're ticking the box to say, I want to use Facebook. I want to use Twitter. I want to use LinkedIn because these are great technologies, but it's the scope creep. It's what you're doing behind the scenes that I don't know how you're using my data. So transparency is going to become more and more critical in the business model and that's going to be a cultural shift for companies that their entire business model is based on personal data. They're struggling because they're the companies that no matter what they do, they're going to have to change. They can't just make a simple change their policy or procedure. They have to change their entire business model to meet the GDPR obligations. And I think from what she says there, obviously GDPR is very much around kind of private data, but the compensation we're having with our customers is a much wider scope than that. It is all of the data that you own. And it's important that I think organizations need to stop being kind of fast and loose with the information that they hold because not only is there private information about those people there that, you know, me and you and that we don't want that necessarily leaked across the world to somebody who might want to look to exploit that for some other reason. Well, that might be business confidential information. That might be price list. It might be your customer list. And at the moment, I think in lots of organizations, we have a culture where people from top to bottom in an organization don't necessarily understand that. So they might be doing something where, we had a case in the UK recently where some record security arrangements for Heathrow Airport were found on a bus. So somebody copied them to USB stick. No encryption. Somebody copied it to USB stick, thought it was okay to take home and leave in the back of a taxi. Probably didn't think it was okay to leave in the back of the taxi. We certainly thought it was okay to take that information home. And you look at that, I think, well, you know, what other business asset that that organization held, would they have treated with such disdain almost to say, I just don't care. This is just ones and zeros. Why would I care about it? It's that shift that I think we're starting to see. And I think it's that shift that organizations should have taken a long time ago to see, you know, we talked to customers, and you hear it at events like this all the time, data is the new goal, data is the new, you know, precious material of your choice. Which it really isn't. It really isn't. Here's why I say that. And this, because this is an important thing, at least the next question I was going to ask you. Every asset that's ever been conceived follows the basic laws and economics of scarcity. Right. You do it, you can take gold, you can apply it to that purpose, you can make connectors for a chip, or you can use it as a basis for making jewelry or some other purpose. But data is fungible in so many ways. Absolutely. We connect it, and in many respects, the act that we talked about a little bit earlier, the act of making it private is, in many respects, the act of turning it into an asset. Absolutely. So one of the things I want to ask you about, if you think about it, is that there will still be a lot of net new ways to capture data that's associated with a product or service or a relationship. So we're not saying that GDPR is going to restrict the role the data plays, it's just going to make it more specific. We're still going to see more IoT, we're still going to see more mobile services as long as the data that's being collected is in service to the relationship or the product that's being offered. Yeah, you're absolutely right. I mean, one of the things that I always say is that GDPR's intent is not to stop organizations from collecting data. Data is your greatest asset. You need data to manage any kind of relationship. But you're absolutely right in what it's going to do is force transparency. So instead of doing things behind the scenes where nobody has any idea what you're doing with my data, companies are going to have to be extremely transparent about it and think about how it's being used. Data, you talked about data monetization, healthcare data today is 10 times more valuable than financial data. It is the data that all hackers want. And the reason is because you can take even aggregate and statistical information that through, say, trial clinics to information that you think there's no way to tie it back to a person and by adding just little elements to it, you have now turned that data into greater value and you can now connect it back to a person. So data that you think does not have value, the more we add to it and the more sort of profiling we do, the more valuable that data is going to become. But it's even more than that, right? Because not only are you connecting it back to a person, you're connecting it back to a human being. A human being, absolutely. Whereas financial data is highly stylized. It's defined, it's like, this transaction is defined and there's nothing necessarily real about it other than that's the convention that we use to, for example, do accounting. But healthcare data is real. It ties back to what am I doing? What drugs am I taking? Why am I taking them? When am I visiting somebody? This is real, real data that provides deep visibility into the human being, who they are, what they face, any number of other issues. Well if you think about GDPR too, they expanded the definition of personal data under GDPR. So it now includes data like biometric and genetic information that is heavily used in the healthcare industry. It also includes location data, IP information, unique identifiers. So a lot of companies say, well we don't collect personal data but we have unique identifiers. Well if you can go through any kind of process to tie that back to a person, that's now personal data. So GDPR has actually the first entry into the digital age as opposed to the old fashioned processing where you can now take different aspects of data and combine it to identify a human being, as you say. So I got one more question. This is something of a paradox. Sorry for jumping in, but I'm fascinated by the subject. Something of a paradox. Because the act of making data private, at least to the corporation, is an act of creating an asset. And because the rules of GDPR are so much more specific and well thought through than most rules regarding data. Does it mean that companies that follow GDPR are likely in the long run to be better at understanding, taking advantage of and utilizing their data assets? That's the paradox. Most people say, I need all the data. Well GDPR says maybe you need to be more specific about how you handle your data assets. What do you think? Is this going to create advantages for certain kinds of companies? I think it absolutely is going to create advantages. In two ways. One, I see organizations that comply with GDPR as having a competitive advantage. Because number one, it goes down to trust. If I'm going to do business with company A or company B, I'm going to do business with the company that actually takes my personal data seriously. But looking at it from your point of view, absolutely. As companies become more savvy when it comes to data privacy compliance, not just GDPR, but data privacy laws around the world, they're also going to see more of that value in the data. Be more transparent about it, but that's also going to allow them to use the data for other purposes. Because they're going to get very creative in how having your data is actually going to benefit you as an individual. So they're going to have better ways of saying, but by having your data, I can offer you these services. GDPR may be a catalyst for increased data maturity. Absolutely. Well I want to ask you about the cultural shift. We've been talking so much about it from the corporate standpoint. Will it actually force a cultural shift from the customer standpoint too? I mean, this idea of forcing transparency and having the customer understand why do you need this from me? What do you want? Famously, Europeans are more private than Americans. I can't make sure. And Americans, as you said, just click accept. Okay, fine, tell me what I need to know or how can I use this website? Well, I think it's not necessarily from a consumer point of view, but I do think it's from a personal point of view for everybody. So whether you work inside an organization that keeps data, they're starting to understand just how valuable that data might be. And just to pick up on some things, I just have to pop back something you were saying before. I think one of the other areas where this has business benefit is that that better and increased management and maturity, actually, that's a great word. Yeah, that better maturity around how we look after our data has huge impact because it has huge impact in the cost of storing it if we want to use cloud services. Why am I putting things there that nobody looks at? And then looking at maintaining this kind of cultural shift that says, so if I'm going to have data in my organization, I'm no longer going to have it on a USB stick and leave it in the back of a cab when it's got security information of a global major airport on it. I'm going to think about that because I'm now starting to understand and this big drive about people starting to understand how the information that people keep about you has a potential bigger impact. It has a potential bigger impact if that data's, we've seen data breach after data breach after data breach. You can't look at the news any day of the week without some other data breach. And that's partly because a bit like health and safety legislation, GDPR's there because you can't trust us as organizations to be mature enough with the way that we look after our data to do these things. So legislation and regulations come across and said, well, actually this stuff's really important to me and you as individuals. So stop being fast and loose with it. Stop leaving it in the back of taxes. Stop letting it leak out of your organization because nobody cares. And that's driving a two-way thing. There's partly we're having to think more about that because actually we're not trusting organizations who are looking after our data. But as Sheila said, if you become an organization that has a reputation for being good with the way they look their data and look after data, that will give you a competitive edge. Alongside, actually I'm being much more mature and being much more controlled and efficient with how I look after my data. That's got big impact in how I deliver technology internally within a company. Which is why I'm enthusiastic about GDPR. I think it's forcing lots and lots of long overdue shift in a way that we as people who look after data or architect technology, start to think about the kind of solutions and the kind of things that we do in the way we deliver IT into business and enterprise across the globe. I think one of the things too, and Paul brought it up, is he mentioned security several times. And as Paul knows, one of my pet peeves is when companies say we have world-class security, therefore we're compliant with GDPR. And I go, really? So you're basically locking down data you're not legally allowed to have. That's what you're saying. Well, I think you said earlier, it's not just about having encryption everywhere. Exactly. And it's funny how many companies say, well, we're compliant with GDPR because we encrypt the data. I go, well, if you're not legally allowed to have that data, that's not going to help you at all. And unfortunately, I think that's a lot of companies think that as long as we're looking at the security side of the house, we're good. And they're missing the whole boat on GDPR. It's got to be secure. It's got to be secure. But. You've got to legally have it first. Right. Exactly. So really an issue with security around data, you know, when Mustafa and Sheila talk about this quite a lot, is that one of the risks you have is you can have all the great security in the world. But if the right person with the right access to the right data has all the things that they should have, that doesn't mean that they can't steal that data, lose that data, do something with that data that they shouldn't be doing, just because we've got it secured. So we need to have policies and procedures in place that allow us to manage that better. A culture that understands the risk of doing those kind of things. And maybe alongside technologies that identify unusual use of data, you know, are important within that. Yeah. Well Paul, Sheila, thank you so much for coming on the show. It's been a fascinating conversation. Thank you very much, appreciate it. No, thanks Pamela Zahn, appreciate it. I'm Rebecca Knight for Peter Burris. We will have more from NetApp Insight here in Berlin, just a little bit in just a little bit.