 Live from Austin, Texas, it's theCUBE, covering Dell EMC World 2016, brought to you by Dell EMC. Now, here are your hosts, Dave Vellante and Stu Miniman. Welcome back to Dell EMC World at Austin, Texas, 2016. This is theCUBE, the worldwide leader in live tech coverage. Dale Skivington is here. She's the Chief Privacy Officer at Dell, and she's joined by Nick Kukuru, who's the Vice President of Big Data Practice at MasterCard. Folks, welcome to theCUBE, thanks for coming on. Thank you for having us. Very important topic, privacy, security, I like to talk to them as two sides of the same coin, but Dale, why don't you start it off, tell us what you guys are talking about here at Dell EMC World. Thanks, well, oftentimes you're right, privacy and security are two really different topics to talk about, and Nick will cover a lot this afternoon about the importance of securing data in order to have a successful big data program, but privacy is also of a concern to our shareholders and stakeholders, and that is privacy deals with what information do you collect, what information, how do you use that information, and with whom do you share it? And that's a little different than securing the data, and our regulators and our customers, are getting increasingly concerned about those issues, and so it requires some governance and some thought to be put into those programs, and that's what we're going to talk about today. And it's interesting, Nick, because in 2006, when the federal rules of civil procedure enabled or required organizations to retain and produce electronic material, it instantly became the notion that data was a liability, and everybody wanted to understand, okay, when can I delete it, when can I get rid of it, and then when this big data meme occurred, all of a sudden data becomes an asset in a big way, even though it's always been an asset, and we know that, but in a bigger way, it was almost like a bit flip, and it sort of changed the attitudes. Is that a reasonable description, and how did that affect how you approached privacy? Well, part of it is, is you're absolutely right. You became an asset. Everyone wanted to monetize the data that they were carrying because there were great nuggets that sat inside that data. So when we started talking about security, originally we used to talk about personally identifiable information, right? And that's what everyone was at name, address, phone number, even email addresses. But then it started to turn into, as we started to bring other sources of data, such as Facebook, Twitter, all that data that sits out there in social media together, we started to realize other pieces of information needed to be secure as well. So now you broaden the way that you want to take, look at security because all this unstructured data starts to come in where you can identify people through a picture, a photograph, through a Twitter feed. And what you want to be able to say is, how do I protect them as much as I protect someone's credit card? Or someone's personally identifiable name, address, and phone number? And Dale, talk about your role at Dell. It's interesting to have a chief privacy officer on at Dell, and now of course Dell EMC opens up a whole new can of worms, if I can say that. So together with our chief information security officer, who looks at the policies and procedures around securing data, my team is responsible for the policies, procedures, and controls relating to the use of the data. So, you know, in terms of, the reason why our session today is called the ethical use of data is because the laws are lagging a little bit in terms of requiring certain things to be put in place about the use. They're starting to develop, but what each regulator has said in the US and Europe and elsewhere is, they've given companies and technology companies a chance to put in good governance in place, and they've asked the companies to put in internal review boards and accountable, responsible individuals in those organizations to make good decisions about the use of data. And that's what a chief privacy officer helps the organization do, develop the governance structure and help with the accountability of the use of, and the decisions around using data. So there's obviously a big discussion going on like this inside of MasterCard, and Nick, you were talking about everybody wants to monetize the data or figure out how data can help them monetize. So how do you deal with that? You know, analytics, and you know, you guys talk about the creepy factor. I always worry that Amazon knows more about me than I do. They know what I'm out of something and I'm reordering and my patterns, and that's kind of creepy. So how do you deal with that? You know, part of what we do on my side of the house is we anonymize the data in many cases for that type of analysis. So we try to take that personally identifiable information out of the analysis. So again, we call it anonymization where we actually on the front end say, I don't care who you are, what I care about are your patterns and can I figure out what those patterns are to create affinities. So by taking them out of the front end and anonymizing the data, doing the analysis on it and then potentially at the back end our customers re-identifying those people that we have anonymized on the front end that makes it a little bit better because it's no longer a creepy factor per se because when you work with someone like Dale on what the usage of that data is, in many cases when you do that analysis it's doing it for the good of that person. So that person either A, gets a healthier lifestyle, B, gets to see the products and services that they want to see or want to be able to purchase or whatever. So again, for us it's been able to understand how we protect the individual as you look through the entire analysis stream. And that's what we do on the advisor side with our customers. So that's cool, but the chief marketing officer, he or she was to identify that individual, the customer of one, that one-to-one personal interaction, how do you square that circle? Well that's actually when we work with the marketing team they always say that, well we have a population of five million in our database and I want to look at all five million, it's like, yes you can, look at all five million but it's anonymized them because most cases you're going to send them to your data scientists and there's 20 or 30 data scientists that could be working on these, five million to create your campaigns. They don't need to know names, phone numbers, or addresses. So secure the data so that you're not carrying identifiable information through the ecosystem. Only at the very end, when you say out of that population of five million Mr. Marketer, here's the half a million that have a high propensity to do what you're asking them to do is when you re-identify it. So at that particular point you haven't put five million people at risk, you've actually put half a million people what you want them to do, which is the propensity to purchase with a propensity to take an action. So again, at the end is when you re-identify and say these are the number of, these are the people we should be sending a mail or two or an email to, or an offer. And that narrows the threat. Correct. Matrix, if I could use that term and reduces the risk. Very much so. To the consumer and obviously to the organization. Yeah, and that's why when we work with people like our privacy officers it's what are you trying to do in the analysis so that we can understand that data usage. Because that becomes important with what the data is that's carried through the analysis phase. You may not have to carry gender. You may not have to carry ethnic background. You may not have to carry any of these other markers that could put someone as an, you can identify someone with. So if we can keep those out it's how you're using the data and the analysis at the end. And to follow up on that, so that's what the privacy office does. It works with the business when they are envisioning a particular use of data and application, a product that's going to do some of these analytics. We work with them to design that product to avoid some of these risks. Sometimes you can't. Sometimes the answer is we absolutely need that personal information because that's the purpose of that particular project. And in those cases then we look at did you have permission from the data subject to do what you want to do with the data? And if not, does the society good outweigh the risks? And can you mitigate those risks in certain ways? So that's the balancing act that we do and that's when we decide when it's past that creepy line or when it hasn't. Because my role within the company is to advocate for the data subject to make sure that their expectations are being met by Dell. I wonder if we can unpack another use case which is fraud detection which has advanced so rapidly in the last 10 years. It used to be six months and you find maybe something happened and you had to look at your own statements and now you're getting texts and very proactive. But certainly a lot of information has to be accessible but it's very narrow in terms of the individual. Can you talk about that use case? Yeah, the one thing that we find from our customers or the people we work with when you talk about fraud people don't mind that you're watching because you're reducing their liability. You're reducing someone from stealing that credit card from them or being able to run up charges. So when you talk about protecting someone protecting someone's digital persona, their wallet, they're willing to give and take a little bit on what information they provide to you. They don't mind that you know that hey, I'm in Austin, Texas today and then someone's trying to charge in Qatar at the same day. They understand that. It's not a privacy issue but I want to ask you about, the pendulum's kind of swung, like I said, it used to be, it would take forever to find out if there was some kind of fraud. And then it became like this flood of false positives. And it seems to be getting better and presumably it's because of big data analytics but I wonder if you could talk about that. Absolutely, our fraud teams, as a matter of fact at Mastercard, we work very hard to reduce the false positives because that creates a bad experience for both the user as well as the issuer of that card, right? So what we try to do all the time is you can continue to do learning, machine learning, the artificial intelligence, how to reduce that. As you also look at people's patterns, is this person a professional traveler or always traveling? So that goes into the algorithm when we try to take a look at a false positive around fraud. Do they buy these types of goods with their credit cards? So again, when you start to look at the protection and you start to add those rules into it and you start to actually reduce it, it's all about learning. It's not just one and done. Those algorithms have to be constantly updated in real time in some cases so that you're constantly in a learning phase. You're building models and iterating those models and that's always the challenge. I'd love to talk about that if we have time, but I wanted to ask you, Dale, talk about deep learning. Michael was talking a lot about machine learning and deep learning as part of his visionary discussion this morning. What's the role of transparency? How do you guide your constituents in terms of transparency? What are the guidelines? How transparent? When to be transparent? Yeah, that's a great question. And transparency was where the privacy profession lived 10 years ago. It was all about giving the consumers notice about why you're collecting the data and using it consistent with that notice and being very visible with privacy statements and there's lots of laws around that now where you have to give specific notices. The problem with big data is the power of it is using the data in ways that you didn't envision when you collected the data and that is the dilemma for privacy and big data and that's where the privacy community is trying to develop some tools for organizations to do a balancing act of, okay, the consumer didn't know that when they gave you that data it was going to be used for this purpose but they're not, it's tangential to that use. So that would be an acceptable use but if it's going to so surprise the consumer that you're using the data for you really need to go back and get repermissioned and in some countries it's an opt-in permission. I mean to make spam law, spam and do not call laws seem trivial, doesn't it? You were mentioning off camera that I think it's your CISO who participates in public policy through the Obama administration. Is that, was it your site? It's part of our DNA is security and securing the data. Our CEOs made a tremendous commitment to make sure that we can apply our best practices into and help the community understand how to make sure the data is secure because that's a digital persona. We consider ourselves to be stewards of data not owners of data. Someone has entrusted us with that and we want to make sure that we're constantly contributing back. How to make sure it's secure and used right as we take a look at that. How about regional nuances, local laws? Describe sort of what you're seeing there, how you address those complexities. Yeah, so a good example is the new European regulation that's going into effect May of 2018. That has a new specific requirement about profiling automated decision making that's used for marketing purposes. You have to have an opt-in for using that data. Companies are going to struggle with how to implement that. But nonetheless, it's a new law and that law has 4% of annual revenue as a potential penalty. Wow, so it may get the straight. You have to opt-in to be automated profiled? Automated profiling where it's going to be used for certain types of purposes, decisions. And you know what they're really trying to avoid is the things that the Obama administration came out with a big data report as well, discrimination. Decisions that are made about insurance and credit, et cetera, that are automated decisions and then marketing decisions with that data. The law now requires very specific opt-in and transparency. Boy, that's going to be tricky. Yeah, the thing for us is what's just described is working with people is the ability to tag that data as it's being brought in. So as you think of big data and ingestion, that tagging of that data and carrying the metadata, what types of data needs to be tagged? What types of data do you have to be watching out for? Was it an opt-in versus an opt-out? All that adds into understanding the power of what big data can do to protect both the individual and the company from being able to do something wrong with the information. So the nice part is with big data, you can do that. So again, we're working with our customers and with the privacy officers to understand how you do your data classifications, what data needs to be tagged, and then to be able to file that full lineage through the entire ecosystem. And obviously that has to be done at the point of creation. Correct. Otherwise it's not going to scale. And technology helps you solve that problem and that's been a challenge for years, but we're at the day where that actually works now. Yeah, there's a lot of great partners and we're here at Dell World and Dell EMC World and they're here as well to help on that ingestion of data as it's coming in to start to tag it and to start to index and catalog it. If that's the power of what big data can help you with because before you had to do it individually. Now you can actually use the tools. You can use AI to actually understand about that information coming in to do that tagging, to create that lineage. It's very, very important and very powerful, especially as we start looking at what's coming down the road. Dell, do you get involved in helping guide solutions? Is that part of your role? So we have a process that is called the privacy impact assessment process and it's in the life cycle development of our products and services. So much like the security reviews that are done when we commercialize a product, we now are interjecting ourselves with a privacy review. So if that project or product development or application is intending to use Big Data Analytics as part of it, we will help guide the business whether they need to build in opt-in consents. What do they want to do with the product and what kinds of things are from a compliance perspective do they need to build in so that we are at the table with our business partners. All right, we got a wrap. But Nick, I'll give you the last word to me sort of as the big data analytics, I'll call you a visionary. What's the future hold? Where's your focus in the next year, near to midterm? You know, I want to stay right with the ethics world and probably I always tell people what we're asking now is just because you have the data doesn't mean you have to use the data. Just because you have that information you've got to become a parent and start to be able to put some parameters around how that data is used. So people in the privacy world you need to bring them to the table. So again, just because you have it doesn't mean you should be using it. And now it's better to be a parent than just to let people run crazy. Great, Nick and Dale, thanks very much for coming to CU. I love this conversation, it's fascinating. Appreciate the work you do. All right, keep it right there, everybody. We'll be back. This is Dell EMC World from Austin, Texas. This is theCUBE, right back.