GDPR is a regulation in Europe with teeth and has benefited the entire cycle of business transactions in the continent: Richard Hogg, Global GDPR Governance Evangelist, IBM

Bhaktvatsal Sharma May 28, 2018

"GDPR is a regulation into Europe with teeth and has benifited the entire cycle of business transactions in the continent." Said Richard Hogg during an interview with BW CIO discussing the importance of the regulations around protection of data. Data is believed to be the new oil of the markets that are gradually transforming to the digital space. Apropos of the journey IBM states that it is crucial for organizations and businesses across the world to understand futuristic regulations like GDPR. Richard Hogg on his trip to Mumbai also spoke at the IBM Cloud and Data Summit 2018 regarding the importance of GDPR readiness and the importance of data governance.

What is the importance of data governance? How important is it in India?

I think the bigger part of the answer lies in the importance of data governance not just in India but wherever you are. Whatever country and jurisdiction there are always regulations which may very from a few to a multiple. Regulations that define simplistically information governance bigger than data governance, but focused on all information. These bodies oversee the time period for which the data is kept with an organization and the purpose behind storing the data. Some countries have a rule that regulations cannot be entirely digitized and are still on paper and there may be rules stating that certain information must remain inside a country. If you operate in multiple countries all these principles overlap and compete and get often confusing. Hence, that is where you get legal and compliance teams involved that will help to regulate the middle ground that works best for the business driven by both risk and economic perspectives.

The ideal with GDPR (General Data Protection Regulation) is that it is standardizing the privacy and security regulations of all 28 countries in Europe. The countries today in Europe have different levels of privacy and data regulations like we do India but it makes it more standardized them to make it a level plain field which is easy enough for anyone operating in multiple countries in Europe. There already are regulations in India, types of information are used in order to access public data. But with GDPR we can access personal data.

Could you elaborate more on the services provided by IBM that cover data governance as a complete solution?

We believe that we have the most comprehensive technology solutions with an our clients that go through the GDPR journey and some clients have been with us 4 years on that journey while some have been more heavily regulated in terms of financial services and insurance. We have worked with large clients across the world where they have complete end to end solutions and everything was outsourced from IBM. We were also involved in the non-technical part of it focusing on people, policies and process compliance changes. Other clients tend yo pick and choose where they have a particular roadblock or gap and they would only prefer fixing problems related to data catalog, mapping, trafficking or even mediation. We've got building blocks all over our solutions where clients can pick and choose which services they need or purchase the end to end solutions. IBM is running its own global program to make IBM GDPR compliant and we are drinking the same champagne. We use the same solutions for our clients that are practiced at IBM. I am part of the internal process as well and we made a public commitment to readiness with ibm.com/gdpr which was out last year as a market commitment to our partners. IBM has also made public its own e-book defining the steps they took in their journey.

How would you define IBM's product and services to be unique from its competitors?

IBM has a complete set of solutions compared to all the other competitors in the market. There are lots of other peace meal price products but they are generally stand alone and not integrated. What you're trying to do with GDPR or any major regulation is have a comprehensive approach that lets you optimize and accelerate everything you're doing. We have invested in from last year has been adding in accelerators at every step in the journey and we've got a well defined 5 phased methodology in the GDPR journey. Many of these accelerators are focused around machine learning, for e.g. if you're trying to discover personal data, its hard to do with many of the tools out there today and especially if the data consists of phone numbers, bank account numbers, passport numbers or even credit card numbers. Those are well defined patterns where many tools can find them but it would sum up to only 5% of the whole lot. Hence we have invested in machine learning to train it up on extended set of what is European data and in other languages. Which means you can immediately plug in this discovery accelerator device up and get access to real data. New information can always be timed and cataloged.

How has IBM's journey shaped with respect to GDPR?

GDPR has everyone's attention in the world whether it is related to European employee or customer data because it has large financial penalties. It is not the first regulation because we have had this in Europe since 20 years, Asia-Pacific has these regulations for multiple years including Singapore, Hong Kong (PDPA 2012 Act), Australia and Japan. GDPR is the first with real large financial penalties which resulted in a risk assesment we conducted and chose to embrace GDPR and follow these regulations globally. We have followed the guidelines with respect to GDPR across 100,000 of our employees, 47 distinct business units and we operate in over 200 countries. This is one of the biggest GDPR programs for GDPR readiness where we are using our 5 step methodology with our clients. These common steps for GDPR readiness where the first step is assessment which helps in figuring out the regulations for anyone who doesn't know where to start. The risk privacy impact assessment distinguishes the 3 main slices of the pie. Compliance which elaborates People, Policy, Process and Education, technical organizational methods followed by an organization, the maturity value of the company. Encryption, access control monitoring, rights of accessing information and constructive plan of action to overcome problems like data breach known as incident breach readiness reporting. The third major slice of the pie is personal data where GDPR Speak can access personal information and identify individuals as a living person in Europe. We need to know where the personal data is and where our client's data is and protect it's life and be able to document how that information is used. We at IBM have a 6 legal basis of processing procedures which includes the right to correct data, right to inquire, right to erase data and the right to data portability and provide it to the client after the term of the business is concluded.

How is a governance offerings evangelist adding value to the organization in a segment like GDPR?

One of my day jobs as an evangelist is to work with our clients, partners worldwide along with our analyst and the media out there and share the IBM story. Yes we are a tech company and we would like to serve you all those products nut apart from that we would also like to provide our services. All the non-technological trends including GDPR and we are doing it ourselves first in our organization and only promoting it after successfully examining the policies and regulations. We see GDPR as a transformation opportunity and accelerate everyone on that journey of a digital business. The other part of my job is to be involved with the internal program where IBM is getting ready and we're almost there.

What is the topic you have spoken about at the IBM Cloud & Data Summit 2018?

I have presented the IBM point of view with respect to GDPR and how do we see it as a business opportunity. The point is to keep less data in an organization's system which would be of more value and that will allow companies to work in a trusted way with customers. The entire process would be transparent which would give more hope to the client to provide more valuable data in the future which can provide personalized goods and services tailored to them. You may end up with less data or even fewer customers but of more value with a longer life to the business. More and more citizens in countries are looking for trust and transparency with their vendors.

How is India fairing in terms of data governance policies and guidelines?

I'm not an expert in the regulatory arena of India but I do know there are regulations applied for tax. There are regulations on how long to store tax documents which is one of the examples, there will be others in financial operations, insurance, manufacturing, transportation, healthcare which have some level of regulations. Many countries are on this journey to standardize and simplify to automate these regulations. The challenge for multinational companies is to weave a path through all these multiple overlapping. The same operations are now being slowly implied in South East Asia and especially in India.

Where would you see data governance in the future? How much of an impact is it going to make?

One reason we've over collected and over retained historically has been because of the big dream of data analytics. But that resulted in keeping a lot of stale data which would have been as old as 15 years. That data costs real money for storing, backing up and re format the data. Hence we though of an economical solution and decided to keep less valuable data which would be less in quantity but easier to run analytics on. In the future if you have got less data with more value and trust, then you can do far more with analytics on that in the future and get more tailored goods and services. That is where I would see data governance become more mature and will create a huge impact on the businesses with respect to data governance.

What are the industry segments that IBM is working with, especially in the Indian market?

With GDPR we mainly work with the heavily regulated industries worldwide who have been facing a reality of large regulations. In India we generally leverage a lot of service providers who have been taking our services and solutions and putting more end to end hosted capabilities on the cloud for the customers here. There are 2 areas where IBM is investing in order to be GDPR ready. We have invested in machine learning with a regulatory analysis solution. That would allow you to take the PDF of the regulation and all the regulations applied to your business, digest the native regulations along with that and the machine learning can chew on that while accelerating on your compliance staff spitting out all the controller obligations from the regulation instead of taking weeks and months to interpret the regulation. The other area is blockcahin where we have invested in but we have issued a Blockchain GDPR Whitepaper which you can find on our website and we've laid down 5 examples/used cases describing how blockchain would help in the future along the GDPR privacy and compliance journey. What if your personal data was controlled from a blockchain and you could go to the market and tell the vendors to not upsale or resale to you. Any vendor whose getting access to information via your central blockchain can see what you consent or don't consent to. This is one of the 5 valubale examples.

What does the IBM study that was launched around GDPR specify? What is the key takeaway from the study you have co-authored?

We did the study over last couple of months talking to over 1500 businesses worldwide who were doing GDPR. In a summary there are 30% who feel they are ready in a span of 9 days. Two thirds are not ready but are on that journey and the reality is the regulation is prescriptive but not definitive. There is no formal certification program or compliance program for GDPR yet, the only ones who said we are GDPR compliant would not be telling the truth because there is no formal program to do that. For the next 2-3 years we wish to wait and understand the regulations that are going to be rolled out along with the interpretation of the regulations and what do they impose. Our customers will also learn and revive with the help of the new guideline through our efforts for GDPR readiness. The report also summarizes some of the key challenges that organizations would have ahead of them would be to discover and find personal data. Just searching with a simple tool for a pattern is not enough and look across tons of petabyte through an organization's data is a challenge. Later it is not just finding personal data but to whom does that data belong to and its location across 50 different systems that it could be in. Getting the inventory for all that mapping is the key challenge that the report called out.