 Hi, I'm Peter Burris and once again, welcome to theCUBE. We're broadcasting today in this wonderful CUBE conversation from our Palo Alto studios and we're really lucky. We've got a really interesting topic. We're going to be meeting with Manmeet Singh, who's the founder and CEO of DataGuys. Manmeet, welcome to theCUBE. Thank you, thanks for having me. So Manmeet, we're going to talk a lot, we're going to talk today about the whole concept of data privacy and how to improve the tooling for it. First, tell us a little bit about yourself and DataGuys. Well, I founded DataGuys in 2008, nine time frame. We have been around for about nine years. We have raised money at different levels. But today, what we decided, people call it GDPR. We had defined it earlier. Today, people call it PII, PCI. So all that thing, the compliance issues are coming. That's what we have been defining and doing. So the whole concept of, as I mentioned, data privacy is extremely important. As you said, GDPR, new regulatory pressures, new ethical pressures, business pressures, but increasingly also new consumer and customer pressures to force businesses or to encourage businesses. Let's put it a little bit more nicely. To be more clear about what information they're gathering about the customers they're doing business with and how they're using that information. But the tooling to do that is all over the map. And that's one of the first excuses that businesses use is, will that be too hard? Well, what can be done to dramatically simplify the process of identifying what is and what is not private data from a customer standpoint? Oh, this is, you pretty much put everything in a small nutshell for the whole problem which is existing. What businesses are saying, they cannot solve the problem is no longer true. There are companies like us and there are many other companies who are in the similar frame which are doing something else than what we do. But our company has been looking at these problems for a long time and data which they are collecting, they're not telling people what they have. And they just don't want to with these laws and compliance issues with teeth which are coming out today are forcing them to tell people what they have about them, tell people if they want to use them in the right way or not. So people are getting more control of the data. Earlier the businesses had control of the data and this is what these laws are supposed to do. And I think they're doing the right thing. Well, there's this notion of information asymmetry which is a very powerful concept and basically a situation that is informationally asymmetric exists when the buyer or the seller has a superior understanding of the information associated with the transaction and therefore is able to get a better deal or more value out of the transaction. And many respects what we're talking about is circumstance when customers or consumers don't know what value a business is extracting from that transaction independent of that specific knowledge or information they provided to them. And they're trying to claw that back to ensure the right level of trust, the right level of river activity, things that in fact are in concert with good business practices. Have I got that right? Absolutely, absolutely. Once you give the data to the customer by taking a loan from a bank or just buying a car or something, you don't know where that information is being used. They get all the information from you. They get your security number, they get your income, they get your number of dependents you have. They even get your sexual orientation on top of it. Now, do you want the bank to know all that about you if you're not being business with them? Do you want these other agencies like social networks to know all that about you and share that information freely? No, you don't. How do you get that control? And that is the biggest problem which we are facing today because these businesses don't want to customers to know that. And they were kind of keeping that information and extracting a lot of amount of value and targeting you guys because they know who are the high net worth people. So they were distributing that data in a many ways. These are my top 2% customer. These are my top 30%. Okay, I'll protect this data but I'll extract most value out of it. Well, these are people who make so little income. They are not that useful as a customer but they are still useful as a data because I can make a generic content. So there they keep them in the lower grade level. So those things, they should tell customers. They should tell what they are extracting. So those things were not happening. And that's why if you look in Europe, there's GDPR law which has come out and I think similar legislation will come in US sooner or later it has to come in because customers are becoming very aware of this whole problem today and the data loss which is happening on a regular basis. Well GDPR provides for two types of things that a business must do. It must provide insight into the data that it's captured about a business or an individual legal entity. And it must also then provide the processes for remediating or taking action against that data according to whatever the customers want you to say. Tell us a little bit about that. So these are two important features because of GDPR. First thing GDPR has 99 articles and 173 articles and 99 like technological ways. There are other ways, legal ways to do it but technologically what they want. Like if Peter decides that I need to know from this bank or this social media company how much information you have about me and what are you doing with it? They have to provide that information is 30 days. That is called right to access. And the second thing is you can come and say well I'm not using these five things which you sold me earlier. I don't want you to use that information or even have information on that for me or my son or my kid. So you can tell them delete that information or mask that. And this is- And that's called the right to? Right to erasure, right to remove the data. And these two things are very important. This gives customer, they make customer the king. They make the individual the king. He can say tell me what you have on me and delete what you have on me. Now the laws have been in the books and at least in the EU for GDPR for a while but the fines start getting leveled in May. Now we've heard that there's a lot of businesses large and small that are having a problem and they're asking for more time because it's so difficult. Your argument is no it doesn't have to be difficult. There is tooling to do this. Talk a little bit about some of the data guys toolkit and how it's solved this problem so that someone actually can come into compliance for example with GDPR. Correct. So what we have been doing for nine years is searching the sensitive data across an enterprise. In different platforms they have, it could be databases, unstructured data or file systems. Whatever way they are collecting data, our tools, our products can go search for that sensitive data. That's the basic minimum which you have to prove. For any company, search across all the platform, all the data platform, you have the sensitive data for individuals or the sensitive data in anyways. Once you have that, then you need a remediation on that which could be either masking, reduction or encryption. We provide all that on the premise product also and then you need monitoring of that data. So we provide monitoring on that also and you have to give a breach detection or you have to have a breach detection or if there is a breach of the data you have to notify the people in less than 72 hours. We can do that because we can find your breaches in real time and tell you what is in there. So our product is fully connected from finding the sensitive data to masking, the remediation or encrypting or redacting and then monitoring that data. So this is the on-premise thing. What we announced recently when our Amazon show which happened like two weeks back what our product is now available as a SaaS product on all three clouds, Amazon, Google and Azure. And if the company is born in a cloud company and they have all the data on the cloud they can do it over there. They don't have to install our product. They just subscribe to our product and they can do it. They can pay the monthly rent of our product and just use it or they can open up a path if it's a small company which doesn't want to implement the product. They don't have resources. You implement it on site. Implemented on site, yes. They can take our SaaS product, open a little hole on the VPN and find everything on the databases or the file system they have and we can help them do all the things which are required. So that notion of privacy compliance as a managed service. Correct. Privacy compliance as a managed service. That's a good one, yes. So the bottom line is if I'm a large company I don't have an excuse anymore. I can know. No you don't. You've created and you've been around for nine years. So this is not some fly by night thing. No, no, no. We have been around for a while. So I can install the tool. I can run through my sensitive information. I can start grabbing and creating metadata regarding, because it's really not creating a general purpose catalog. It's creating specifically metadata and a catalog if you will of privacy related information. Information, correct. So a large company can do that and then a customer now can be given visibility into from a right of access standpoint and be given options about what it does. And your tool will then also take action against the data to be in compliance. So just not do it. Some large companies are already doing it. Some of my early customers have been with me for four to five years. They have been using my product. They are the largest of the large financial institution, largest of the large healthcare institution, social media companies, companies who are available selling and buying products. So they have been using my product. There are companies who are using it and are successfully using it and they have been cataloging it and masking it and figuring it out. But now they have to make it available to the customer. So there for them, it's only one step process. Companies who have not started doing anything on it or have not thought about it, they can start using our product. They can start looking into it. They can start implementing it. If they don't have that much resources to implement, they can buy our SaaS product, which is available, which can link to their systems and give them privacy and compliance over there. All right, so time and value is a big issue in everything. Give us a sense of if they made the decision tomorrow, at what point in time are they actually going to be in a position to satisfy, at least in the GDPR sense, right to access, right to erase your laws? That's a good question because it totally depends upon the how much data they have. See, there is a physics law on that one. You cannot scan petabytes of data in three days. But if you have only terabytes of data, we can get it done in like days time or weeks time. But if you have petabytes of data, you have to be doing it like six months earlier. Since January, some companies have not even started doing it. They should do it now because GDPR will not come find you right away. They will say, if you have a process in place, they're going to give you some time. So you need to start like right now. It may very fifth is just right away. This is not like a why to keep a problem which will go away. This is a problem which is going to keep growing, keep growing, keep growing, because the data is going to keep growing. And the compliance is going to keep coming after you again and again. It's not something which after metro year, there's going to become like less effective. It's going to become more effective because they're going to find people. They're going to bring, I'm pretty sure, some European companies are going to get fined. They are definitely. Once they get fined, people are going to realize that this is not, this is with teeth. So they will have to do something about it. Yeah, and we have a chief privacy officer client that has told us that for example, if one of the big breaches that occurred last year, US financial services company, that had it happened under the GDPR laws after the fines were put in place, it would have cost that company $160 billion in funds. It would have put them out of business. But I'm out of business. So the bottom line is if we're looking at this, there's a, it's not, it's not such an onerous process that it's company that started now could in fact demonstrate that they're making, you know, a really good faith effort to try to come into compliance with this. But there's, but it's not just GDPR. And it's, although maybe catalyzed by regulation, but increasingly, this notion of information asymmetry is going to become more obvious. They may not call it that, but more obvious to consumers and businesses as well. And the whole notion of the amount of trust you should put in a brand is going to become an attribute of the decision about who you work with. How do you envision that tooling like this is going to become a part or a significant feature of a company's brand being able to demonstrate the capacity or the capabilities for doing this? I think this will become a selling point. Compliance is one way of doing it because then you are just tick-marking for the law. But second is the customer is becoming so aware today. The customer is going to say, okay, how do you protect my data? What all do you have? What kind of tools or products you are using to protect my data, to monitor my data? Otherwise, I would not take loan from you because I have 20 options to take loan from. I'll go to that bank, which is providing better compliance and better security for my name and my data on my information. So similarly, you're not going to buy from one company to another company depending upon what all they collect on you. What all they use it for? You're going to question that. So the awareness which all these breaches and all these social media hacks which have happened in last like six months, nine months and a year you have seen are creating a social awareness among people. People are talking about it. If you go to social tools, people are talking about it. You go to business tool, people are talking about it. On your WhatsApp, you're receiving so many things where people are talking about it. Hey, my data is important to me. Share, don't share it. So those things that become earlier, it was like, hey, my data, who cares about it? But now it's all changed. My credit card number is important. My name is important. My show security, those things are so important that the customer is going to demand that of the companies. So companies have to invest a lot of money on that. And they should have been doing it till now, but now they will be forced to do it. It's not just a compliance, which I think they all have come together. Compliance that come at a time when these breaches are happening. So the awareness is there and the compliance is there and the issues are there. So these things will make it happen. So I'm going to give you two other examples. One is, or two other questions related to this. One is, from personal experience, I know that a lot of companies don't realize that certain systems are in fact a part and parcel of the service path that they have to customers. And when, for example, ransomware occurs or when they get hacked and people start grabbing information that they find out that information was grabbed out of a system and they don't associate with personal data. Are you going to, is your tool going to be able to elevate that conversation? So you in fact do know everything that has personal information in it and you can bring new security, new other types of practices to bear on it. So older securities which have been existing. Actually, let me put this question in a good way. What you did, it's a very great question. Older security tools have been existing. They have been a fence around the whole system. They protect ransomware, they protect people from coming in, going out. But still the breaches happen. First thing is breaches will happen no matter what. They're going to figure out a better way to get into your systems. Now they've gotten into the systems. The companies have been existing for years and they don't even know how many databases or how many file systems they have. Forget about data. They don't even know how many databases. There was a company, I can take an example. They said, oh, we have only 18 databases. Oh, well, let me find out. We ran our tool over there. We discovered 735 databases. The reason was they had employees who came in, created data, downloaded data from the production system and that was not secure. Then we found security numbers, email addresses, and people's salary in those 720. I go, do you even know that you have 720 databases? They were like, I knew only 15 of them and all of a sudden they bought my product because now those 715 have to come in compliance because they did not know about it. Now they know about it. They have to do something about it. So there are tools which our company provides which can do those things. These are large banks I'm talking about. These are not like Tom and Harry shows which are like small companies which are like 5 million revenue. These are like billions of revenue companies and they have databases. They have file systems in the range of 1,000 to 10,000 file systems. They don't even know what they have in there. We can scan them out but it'll take time. So I think that's an important thing. Now the second thing I wanted to say is GDPR does have right to access and right to erasure but it also attempts at least, most regulations are likely to do this, to make it possible for a company to make reasonable use of data once it's been anonymized. So for analytics to improve products, to improve the quality of service, do you get in the way of that? No, we actually make that way very effective. What we do is Peter comes in and says, remove my name and social security number and my address from everywhere. We can anonymize that data, we can mask it but still keep the statistical analysis of the data in the same way. So Peter will become James with different social security number which has no compliance issues because the data of Peter has gone. It'll still tell you that this person stays in this city who bought this much on MasterCard and this much on VisaCard and had that kind of income but it won't be related to the PII, PCI or even GDPR so it'll be compliant but it'll still give you statistical analysis. This is what they should have been doing. This was a smart practice. This was a good practice which we have been advocating for nine years to large companies but the good thing is now the GDPR and the compliance issues have come in so they have to do it by force and they're going to buy my product more and they have to use it. Right, so the bottom line is you've been out there for a while and the market's coming to you. Yes, it's happening now. All right, Manmeet Singh, CEO, founder of DataGuys. Yes. Great conversation about how to establish tooling to improve visibility into privacy data for regulatory trust and other issues. Thank you very much. Thanks for having us. Thanks for being on theCUBE. Thank you. Once again, I'm Peter Burris. You've been listening to a CUBE conversation from our Palo Alto studios. Thanks very much for being here. Thank you. Thank you.