Showing posts with label GDPR. Show all posts
Showing posts with label GDPR. Show all posts

Monday, August 13, 2018

GDPR Forces a Rekindling of the People-Centric Approach to Marketing and Business

Transcript of a discussion on how GDPR impacts how customer data can be used, forcing marketers to rethink digital-only approaches to customer outreach and relationships.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Our next digital business innovation discussion explores how modern marketing is impacted by the General DataProtection Regulation (GDPR). Those seeking to know their customers well are finding that this sweeping new European Union (EU) law forces a dramatic shift in how customer data can be gathered, shared, and protected.

And it means that low-touch marketing by mass data analysis and inference alone likely will need to revert to the good-old-fashioned handshake and more high-touch trust building approaches that bind people to people, and people to brands.

Here to help us sort through a more practical approach of rethinking marketing within the requirements of highly protected data is Tifenn Dano Kwan, Chief Marketing Officer at SAP Ariba. Welcome, Tifenn.

Tifenn Dano Kwan: Thank you, Dana. Very glad to be with you.

Gardner: Now with GDPR is fully in place, it seems that we’ve had to embrace the concept that good privacy is good business. In doing so, it seems that marketers have become too dependent on data-driven and digital means of interacting with their customers and prospects.

Has GDPR done us a favor in marketing -- maybe as an unintended consequence -- when it comes to bringing the human relationships aspect of business back to the fore?

Marketing with soul 

Dano Kwan: GDPR is giving us the ability to remember what marketing is, and who we are as marketers. I think that it is absolutely critical, to go back to the foundation of what marketing is. If you think about the role of marketing in an organization, we are a little bit of the Picassos of companies -- we are the creative souls. We bring the soul back into an organization.

Dano Kwan
Why? Because we control the narrative, we control the storytelling, and we control the brands. Also, in many ways -- especially over the past couple of years -- we control the data because our focus is understanding the audience and our customers.

With the rise of digital over the past couple of years, data has been the center of a lot of what marketing has been driving. But make no mistake, marketers are creative people. Their passion is in creating amazing stories -- to promote and support sales in the selling process, and being, frankly, the voice of the customer.

The GDPR law is simply bringing back to the forefront what the value of marketing is. It’s not just controlling the data. We have to go back to what marketing really brings to the table. And go back to balancing the data with the art, the science with the art, and ensuring that we continue to add value to represent the voice of the customer.

Gardner: It must have been tempting for marketers, with the data approach, to see a lot of scalability -- that they could reach a lot more people, with perhaps less money spent. The human touch, the high-touch can be more expensive. It doesn’t necessarily scale as well.

Do you think that we need to revisit cost and scale when it comes to this human and creative aspect of marketing?

Balancing high- and low-touch points 

Dano Kwan: It’s a matter of realigning the touch points and how we consider touch points when we drive marketing strategies. I don’t think that there is one thing that is better than the other. It’s a matter of sequencing and orchestrating the efforts when we run marketing initiatives.

If you think about the value of digital, it’s really focused on the inbound marketing engine that we have been hearing about for so many years now. Every company that wants to scale has to build an inbound engine. But in reality, if you look at the importance of creating inbound, it is a long-term strategy, it doesn’t necessarily provide a short-term gain from the marketing standpoint or pipeline standpoint. It needs to be built upon a long-term strategy around inbound searches, such as paid media search, and so on. Those very much rely on data.

While we need to focus on these low-touch concepts, we also need to recognize that the high-touch initiatives are equally important.

Sometimes marketing can be accused of being completely disconnected from the customers because we don’t have enough face-to-face interactions. Or of creating large events without an understanding of high-touch. GDPR is an opportunity like never before for marketers to deeply connect with customers.

Gardner: Let’s step back and explain more about GDPR and why the use of data has to be reevaluated.

GDPR is from the EU, but any company that deals with the supply chains that enter the European Union -- one of the largest trading blocks in the world -- is impacted. Penalties can be quite high if you don’t treat data properly, or if you don’t alert your customers if their private data has been compromised in any way.

How does this reduce the amount that marketers can do? What’s the direct connection between what GDPR does and why marketers need to change?

Return to the source 

Dano Kwan: It’s a matter of balancing the origins of a sales pipeline. If you look at the sources of pipeline in an organization, whether it’s marketing-led or sales-led, or even ecosystem- or partner-led, everybody is specifically tracking the sources of pipeline.

What we call the marketing mix includes the source of the pipeline and the channels of those sources. When you look at pure inbound strategies, you can see a lot of them coming out of digital properties versus physical properties.

We need to understand the impact [of GDPR] and acknowledge a drop in the typical outbound flow, whether it’s telemarketing, inside sales, or the good-old events, which are very much outbound-driven.

Over the next couple of months there is going to be a direct impact on all sources of pipeline. At the very least, we are going to have to monitor where the opportunities are coming from. Those who are going to succeed are those who are going to shift the sources of the pipeline and understand over time how to anticipate the timing for that new pipeline that we generate.
We are absolutely going to have to make a shift. Some readjustment needs to happen. We need new forms of opportunities for business.

We are absolutely going to have to make a shift. Like I said, inbound marketing takes more time, so those sources of pipeline are more elongated in time versus outbound strategies. Some readjustment needs to happen, but we also need new forms of opportunities for business.

That could mean going back to old-fashioned direct mail, believe it or not -- this is back in fashion, and this is going to happen over again. But it also means new ways of doing marketing, such as influencer marketing.

If you think about the value of social media and blogs, all those digital influencers in the world are going to have a blast, because today if you want to multiply your impact, and if you want to reach out to your audiences, you can’t do it just by yourself. You have to create an ecosystem and a network of influencers that are going to carry your voice and carry the value for you. Once they do that they tap into their own networks, and those networks capture the audiences that you are looking for. Once those audiences are captured through the network of influencers, you have a chance to send them back to your digital properties and dotcom properties.

We are very excited to see how we can balance the impact of GDPR, but also create new routes and techniques, to experiment with new opportunities. Yes, we are going to see a drop in the traditional sources of pipeline. It’s obvious. We are going to have to readjust. But that’s exciting, it’s going to mean more experimentation or thinking outside of the box and reinventing ourselves.

Opportunity knocks, outside the box 

Gardner: And how is this going to be different for business-to-consumer (B2C) and business-to-business (B2B)? We are seeing a lot influencer marketing effective for consumer and some retail; is it just as effective in the B2B space? How should B2B marketers be thinking differently?

Dano Kwan: I don’t know that it’s that different, to be honest with you, Dana. I think it’s the same thing. I think we are going to have to partner a lot more with what I call an ecosystem of influencers, whether it be partners, analysts, press, bloggers or very strong influencers who are extremely well-networked.

In the consumer world, the idea is to multiply the value. You are going to see a lot more partnerships, such as core branding initiatives that are going to rise. Or where two brands come together, carrying the power of their message to reach up to and join customers.

Gardner: As an observer of SAP Ariba and over the past several years, it’s been very impactful for me see how the company has embraced the notion of doing good and in doing well in terms of the relationship with customers and the perception of a company. I think your customers have received this very well.

Is there a relationship between this new thinking of marketing and the idea of being a company that’s perceived as being a good player, a good custodian in their particular ecosystems?

Purpose-driven pipelines

Dano Kwan: It’s a great question, Dana. I think those two things are happening at the same time. We are moving toward being more purposeful because the world simply is moving toward becoming more purposeful. This is a trend we see among buyers in both the B2C world and B2B worlds. They are extremely sensitive to those notions - especially millennials. They look at the news and they truly worry for their future.

The end-goal here is to remind ourselves that companies are not just here to make a profit -- they are here to make a difference.

GDPR is shifting the focus of marketing within companies to where we are not just seeking data to reach out to audiences -- but to be meaningful and purposeful when we reach out to our customers. We must not only provide content; we have to give them something that aligns with their values and ignites their passions.
The end goal here is to remind ourselves that companies are not just here to make a profit -- they are here to make a difference.

So, those two things are connected to each other, and I think it’s going to accelerate the value of purpose, it’s going to accelerate the value of meaningful conversations with our customers that are truly based -- not just on profit and data -- but on making a difference in the world, and that is a beautiful thing.

Gardner: Do you think, Tifenn, that we are going to see more user conferences -- perhaps smaller ones, more regional, more localized -- rather than just once a year?

Dano Kwan: I think that we are going to see some readjustments. Big conferences used to happen in Europe and North America, but think about the emerging markets, think about Latin America, think about Asia Pacific, and Japan, think about Middle East. All of those regions are growing, they are getting more connected.

In my organization, I am pushing for it. People don’t necessarily want to travel long distances to go to big conferences. They prefer local interaction and messaging. So regionalization and localizations – from messaging to marketing activities – are going to become a lot more prominent, in my opinion, in the coming years.

Gardner: Another big trend these days is the power that artificial intelligence (AI) and machine learning (ML) can bring to solve many types of problems. While we might be more cautious about what we do with data – and we might not get the same amount of data under a GDPR regime -- the tools for what we can do with the data are much stronger than before.

Is there some way in which we can bring the power of AI and ML into a creative process that allows a better relationship between businesses and consumers and businesses and businesses? How does AI factor into the next few years in a GDPR world?

AI gets customers 

Dano Kwan: AI is going to be a way for us to get more quality control in the understanding of the customer, definitely. I think it is going to allow us to learn about behaviors and do that at scale.

Business technologies and processes are going to be enabled through AI and ML; that is obvious, all of the studies indicate it. It starts with obvious sectors and industries, but it’s going to expand drastically because it informs more curiosity in the understanding of processes and customers.

Gardner: Perhaps a way to look at it would be that aggregated data and anonymized data will be used in an AI environment in order to then allow you to get closer to your customer in that high-touch fashion. Like we are seeing in retail, when somebody walks into a brick-and-mortar environment, a store, you might not know them individually, but you have got enough inference from aggregated data to be able to have a much better user experience.

Dano Kwan: That’s exactly right. I think it’s going to inform the experience in general, whether that experience is communicated through marketing or via face-to-face. At the end of the day, and you are right, the user experience affects everything that we do. Users can get very specific about what they want. They want their experiences to be personal, to be ethical, to be local, and regionalized. They want them to be extremely pointed to their specific needs.

And I do believe that AI is going to allow us to get rapidly attuned to the customer experience and constantly innovate and improve that experience. So in the end, if it’s just the benefit of providing a better experience, then I say, why not? Choose the tools that offer a superior experience for our customers.

I believe that the face-to-face approach, especially when you have complex interactions with customers, still is going to be needed. And the face-to-face approach, the real touch point that you have, is going to be necessary in complex engagements with customers.

But AI can also help prepare for those types of complex interactions. It really depends on what you sell, what you promote. If you promote a simple solution or thing that can be triggered online, then AI is simply going to accelerate the ability for the customer to click and purchase.

But if you go with very complex sales cycles, for example, that require human interactions, you can use AI to inform a conversation and be prepared for a meeting where you have activated data to present in front of your customer and to support whatever value you want to bring to the customer.

Gardner: We are already seeing that in the help-desk field where people who are fielding calls from customers are much better prepared. It makes the agents themselves far more powerful.

How does this all relate to the vast amount of data and information you have in the Ariba Network, for example? Being in a position of having a lot of data but being aware that you have to be careful about how you use it, seems to me the best of all worlds. How does the Ariba Network and the type of data that you can use safely and appropriately benefit your customers?

Be prepared, stay protected

Dano Kwan: We have done extensive work at the product level within SAP Ariba to prepare for GDPR. In fact, our organization is one of the most prepared from a GDPR standpoint not only to be compliant but to offer solutions that are enabling our customers to themselves become compliant from a GDPR standpoint.

That’s one of the strengths [that comes] not just from Network, but also [from] the solutions that we bring to the industry and to our customers.

The Ariba Network has a lot of data that is specific to the customer. GDPR is simply reinforcing the fact that data has to be protected, that all companies, including SAP Ariba -- and all supply chain and procurement organizations in the world -- have to be prepared for it, to work toward respect of privacy, consent, and ensuring that the data is used in the right way. SAP Ariba is absolutely partnering with all the suppliers and buyers in the network and preparing for this.

Gardner: If you’re a marketing executive and you weren’t necessarily thinking about the full impact of GDPR, do you have some advice now that you have thought this through? What should others who are just beginning that process be mindful of?
Ensuring that GDPR is well understood by suppliers and agencies -- from a marketing point of view -- is critical.

Dano Kwan: My single biggest advice is to really focus on knowledge transfer within the organization. GDPR is a collective responsibility. It is not just a marketing responsibility; the sales teams, the customer facing teams -- whether it’s support services, presales, sales -- everybody has to be prepared. The knowledge transfer is absolutely critical, and it has to be clear, it has to be simple, and equipping the field within your organization is critical. So that’s number one, internally.

But the positioning with the external contributors to your business is also critical. So ensuring that GDPR is well understood with the external suppliers as well as agencies, from a marketing standpoint, and then all the partners that you have is equally important.

Prepare by doing a lot of knowledge transfer on what GDPR is, what its impact is, and what’s in it for each constituent of the business. Also, explore how people can connect and communicate with customers. Learn what they can do, what they can’t do. This has to be explained in a very simple way and has to be explained over and over and over again because what we are seeing is that it’s new for everyone. And one launch is not enough.

Over the next couple of months all companies are going to have to heavily invest in regular knowledge-transfer sessions and training to ensure that all of their customer-facing teams -- inside the organization or outside -- are very well prepared for GDPR.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how the sweeping new European Union law GDPR forces a dramatic shift in how customer data can be gathered, shared, and protected.

And we have learned how low-touch marketing will likely revert to include more of the good old-fashioned handshake and personal trust-building methods that bind people to people -- and people to brands.

So, a big thank you to our guest, Tifenn Dano Kwan, Chief Marketing Officer at SAP Ariba. Thank you so much, Tifenn.

Dano Kwan: Thank you very much, Dana.

Gardner: And a big thank you to our audience as well for joining this BriefingsDirect digital business innovation interview.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of SAP Ariba-sponsored BriefingsDirect discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.

Transcript of a discussion on how GDPR impacts how customer data can be used, forcing marketers to rethink digital-only approaches to customer outreach and relationships. Copyright Interarbor Solutions, LLC, 2005-2018. All rights reserved.

You may also be interested in:

Monday, July 11, 2016

How Allegiant Air Solved its PCI Problem and Got a Whole Lot Better Security Culture, Too

Transcript of a discussion on how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hello, and welcome to the next edition to the Hewlett Packard Enterprise (HPE) Voice of the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on IT Innovation -- and how it's making an impact on people's lives.

Gardner
Our next security innovation and transformation discussion explores how airline Allegiant Air solved its payment card industry (PCI) problem, and got a whole lot better security culture to boot.

When Allegiant needed to quickly manage its compliance around the Payment Card Industry Data Security Standard, the company embraced many technologies, including tokenization, but it also adopted an improved position toward privacy methods in general.

Here to share how security technology can lead to posture maturity -- and then ultimately to cultural transformation with many business benefits -- we're joined by Chris Gullett, Director of Information Assurance at Allegiant Air in Las Vegas. Welcome, Chris.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Chris Gullett: Thank you, Dana. I’m looking forward to this discussion.

Gardner: Let's begin at a high level. What are the major trends that are driving a need for better privacy and security, particularly when it comes to customer information, and not just for your airline, but for the airline industry in general?

Gullett
Gullett: The airline industry in general has quite a bit of personally identifiable information (PII). When you think about what you have to go through to get on the plane these days, everything from your whole name, your date of birth, your address, your phone number, your flight itinerary, is all going in the record.

There is lot of information that you would rather not have in the public domain, and the airline has to protect that. In fact, there have been a couple of data breaches involving major airlines with things like frequent-flyer programs. So, we have to look carefully at how we interact with our customers and make sure that data is incredibly safe. We just don't want to take the brand hit that would occur if data leaked out.

Gardner: At the same time, we’re enjoying much better benefits by attaching more data to transactions, to process; we're able to cross organizational boundaries. And so, the user-experience benefits of having more data are huge. We don't want to back off from that, but we do want to be able to make sure that that data is protected.

What are some of the major ways we can recognize the need for better data uses, but keep it protected? Can they be balanced?

Technology fronts

Gullett: The airline industry is moving forward on a lot of technology fronts. Some airlines, for example, are using mobile devices to welcome specific customers on board with a complete history of how good a customer they are to that particular airline, so they can provide additional services in the air.

Other airlines are using beaconing [location] technologies, which I think is kind of cool. If you have a mobile app on your phone for the airline and you're transiting through the airport, how cool is it to know where you are and how long it's taking you to get through security. So, the airline might adapt at the gate as to whether there are going to be problems or not in boarding that particular plane.

There are a lot of different data points that are being collected and used now with different airlines handling them in different ways. In any event, the need for privacy is important, especially in the European Union (EU), which has incredibly tight data-privacy protection laws.

Gardner: We've talked about that on this podcast series. Now, the answer isn’t just the old thinking around security, where we'll just wall it off, or we'll use as little data as possible. Instead, we need to have more data in more places -- even down at that mobile edge.
We need data out to the edge where it's actually being consumed; that’s what has to happen these days.

So, as we think about ways to accommodate our need for more data in more places, even everywhere, is there top-level thinking that goes along with being able to make the data private, but also usable?

Gullett: That's the balancing point. Everybody wants their data everywhere. Before, a data center protected data inside the tight little confined, hardened shell you used to have, a perimeter with a firewall, and things like that. But we need data out to the edge where it's actually being consumed; that’s what has to happen these days.

Some airlines are putting consumer PII right in hands of the flight attendant on the plane. At Allegiant, for example, we're using mobile devices to accept credit cards on the plane. We're experimenting with a number of different technologies that fall into a category of Internet of Things (IoT), when you think about them. What they all have in common is that they're outside any possible perimeter.

So, you have to find a way to make every device have its own individual perimeter, and harden the data, harden the device, or some combination of the two.

Gardner: Let's hear more about your particular airline. Tell us about Allegiant Air and what makes it unique in the airline industry.

Regular profitability

Gullett: At Allegiant, we're up to 54 consecutive quarters of profit, which is unheard of in the airline industry. The famous phrase about the airline industry is, “How do you become a millionaire? You start with a billion dollars and you buy an airline.”

The profitability of airlines has been much in the news over the last couple of decades, because it's cyclical. Airlines fail, go into bankruptcy, or consolidate. There's been a lot of consolidation in the United States, with United taking on Continental, and Delta taking on Northwest as examples. Southwest taking on AirTran is another. Everybody has been in the game.

Allegiant is kind of off on its own. We've found an interesting niche that has very little direct competition on the routes that we serve, and that is taking vacationers to their favorite vacation destinations.

We connect small- and medium-sized markets -- markets like Kalispell, Montana or Indianapolis, Indiana, a medium-sized city. We'll take them to Florida, Las Vegas, or Los Angeles. We have about 19 vacation destinations now. We have about 115 cities overall. In fact, we serve more cities than Southwest, if you want to get a comparison on the size of the route map. And we're also taking the charter operators to three different countries in the Caribbean.
We've found an interesting niche that has very little direct competition on the routes that we serve, and that is taking vacationers to their favorite vacation destinations.

We have quite a different footprint. That adds up to about $1.3 billion in revenue a year, and from a profitability standpoint, Allegiant is regularly recognized as one of the most profitable airlines in the world.

Gardner: It sounds like most of your passengers, perhaps even all of them, are vacationers, not business travelers. Does that change anything when it comes to user experience, privacy, and data security?

Gullett: It doesn't change anything as far as the need to protect the data, but it puts a greater risk of brand problems concerning data breaches.

Consider the fact that our average customer flies with us once or twice a year. They are, in many cases, flying Allegiant, rather than driving to their vacation destination. Or maybe they're taking a vacation they wouldn't have otherwise because of Allegiant's low prices.

So what you have is “not-frequent travelers.” In fact, that would be kind of a name. If we were going to have a frequent-flyer program it would be the “not-frequent-flyer program,” because vacationing people just don't fly as frequently.

If I'm a business traveler, I am on so-and-so [airline], and they had a breach, I'm going to continue to fly them because I have marvelous status with their frequent-flyer program. Allegiant customers say, “Gee, I'm a little concerned about that and if they have a data breach, I think I'll drive instead.”

So the brand damage from a breach, I believe, is higher for our airline than some of the other airlines out there.

Everyone's responsibility

Gardner: Given how important it is to your business, to your brand, how do you rationalize these approaches to security to the larger organization? I know that's probably not as prominent a problem as it used to be, because we can see directly the business implications of security issues. But how do you make security everybody's responsibility? Is that something that you have been trying to do?

Gullett: First, we're very lucky at Allegiant to have incredibly broad support from the C-suite level and the board of directors for our security program. That's not a benefit that every company has, but we do, and it certainly makes life easier in developing the procedures and processes, and the technologies, necessary to protect our customer data.

We came into the business at Allegiant with the idea that we have the typical triad of people, process, and technology to deal with in the information security program -- the three legs on a stool. If you miss one of those, you are going to be on your butt on the ground because the stool isn't going to work very well.
We've really moved into more of a stage of being people-focused now. In fact, much of our budgetary spend is on security awareness for our people.

We focused on technology and process early on, because those were the easy things. Those were the low-hanging fruit. We've really moved into more of a stage of being people-focused now. In fact, much of our budgetary spend is on security awareness for our people.

We really had to look at how we best introduce security awareness to the entire company, and to make the company more culturally sensitive to information security. That extends from the customer service agent who's checking you in at the ticket counter all the way up to the board of directors.

The [security leadership] has certainly chimed in and made our board more aware of problems concerning information security. Recently U.S. Senator Edward Markey (D-Massachusetts) has also introduced legislation that specifically targets cyber security in the United States domestic airline industry.

That need to protect the data has to be recognized, and the most important part of protecting the data is the people that are handling the data. Awareness is really a big part of our program now.

Gardner: How did PCI-compliance form a trigger for your organization? What did that change mean for you, and maybe you could explain how you have gone about it at the process, people, and technology levels?

Compliance requirements

Gullett: Well, god bless compliance, because I think I got my first information-security job thanks to an auditor telling someone that they needed an information security guy because of Sarbanes-Oxley. And I joined Allegiant because of PCI. These various compliance regulations have certainly done wonders for the job market in information security. I can only imagine what it’s like with the data security and the EU General Data Protection Regulation (GDPR).

But, in regards to our travel into the world of PCI, Allegiant is also a unique airline in that the software that runs through the airline, the applications that run the airline, are proprietary. We actually write that ourselves. We have a large development staff and every aspect of the operation of the airline is run by custom software that we control and we write.

There are a lot of benefits to that because it allows us to be very agile and flexible if we want to make changes, but there is a downside. Some of the code dates back to the green screen days of the 1990s, and that code was going to be very difficult to bring into compliance from a PCI standpoint. It was just not written with security in mind, and while it wasn’t directly handling credit-card data, it was in the process scope.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
A big concern was how we were going to ever bring a significantly non-compliant custom app that would take a great number of application-developer hours to bring it up to snuff and still meet a relatively tight schedule for becoming PCI-compliant. And so, at the time we looked at a number of different products out there and we thought, well, we can't solve every problem right now. So let’s bite off small chunks and we'll take care of that.

The first thing that looked like it would be fairly easy to do, or at least straightforward from a technology standpoint, was tokenization. And so, our search was, how can we tokenize the cards that we are storing. And that led us to stateless tokenization. We compared a number of different products, but we looked at HPE [Secure] Stateless Tokenization, and that was ultimately our choice for tokenization.

Interestingly enough, while we were on our search for what the best tokenization product was, I happened to read a press release on a website that talked about format-preserving encryption as a new technology that was going to become available -- and that actually became HPE SecureData Web. We found that by accident; it wasn’t even a product that was available at the time. It was going to be targeted at card acquirers, and we actually had a hard time convincing the sales folks to sell it to us as a different type of end-user.

That solved our application problem because it allowed us to encrypt the data that was passing through those legacy apps. Between the tokenization and the format-preserving encryption (FPE) SecureData Web product, we were able to dramatically reduce the overall scope of PCI data, and that finally led us to become compliant.

Gardner: Now, this sounds like, with custom apps, it could take months, even quarters. How much time did it take you, and how important was that to you?

Gullett: The time to implement any application that is outside of what we develop ourselves is always a concern, because that takes our developers, who now have to serve as integrators, off of projects that might lead to higher revenues for the airline or to solve a problem or offer a feature that the airline would like to do. And we're very focused on improving the overall business.

We found that the overall implementation of the HPE products was very efficient. In fact, I think we had one-and-a-half full-time equivalent (FTE) application developers on the project. It took them about three months, and that was integrating with multiple payment-card interfaces. I think we started at the end of October and we went live at the end January. So it was pretty lightweight from the standpoint of integrating significant products into our ecosystem.

Stateless tokenization

Gardner: Secure stateless tokenization can often take organizations like yours out of the business of storing credit card information at all. You're basically passing it through and using various technologies to avoid being in a position where you could have a privacy problem. Was that the case with you, and did you extend that to other types of data?

Gullett: That was one of the marvelous parts of bringing the system online as it did take us from storing many, many millions of credit card numbers down to absolutely zero. We store no payment card numbers at this time. Everything is tokenized. The card data comes into our internal payment process and the system can send it off to the card acquirer to determine whether it should be approved or denied, and it’s immediately tokenized. So that has been a real win for the company -- just much less to worry about from the card standpoint.

Now from the standpoint of how we can encrypt or protect other data, we're looking at a number of possible scenarios now that we have gotten past the PCI hurdle. For example, while we don’t fly internationally with scheduled service, we do handle the charters for other companies. At some point, the company may well fly to international locations, and we will be collecting passport numbers. That would be the kind of thing we would also look at, in effect using some type of format preserving encryption, so that we're not storing the actual data.
We store no payment card numbers at this time. Everything is tokenized.

We've gained a lot of experience with the product over the last three years and that’s going to be a fairly easy implementation that will offer a great deal of protection. But we can also extend that out to customer names, birth dates, and all kinds of different things and we are looking at that now.

Gardner: The HPE SecureData Web and the Page-Integrated Encryption are being used by a lot of folks for the webpage, of course, the browser-based apps, but that also can provide a secure way to go to mobile. Many people are interested in the mobile web, not necessarily just native apps. Is that something you have been able to use as well? The SecureData Web as a way to get to the mobile edge securely?

Gullett: We do use SecureData Web in our mobile applications. We've been using it since we initially integrated the product several years ago. In fact, that was one of the data points that we had to protect from Day One. So we have the app going out to the Internet, grabbing the one-time encryption key and encrypting that data in the application itself on the mobile device, on the Android device, the Apple device, and then sending that encrypted data back to our payment-processing system, passing through any systems in the middle as an encrypted form.

We also have a subsidiary that it is not directly airline-related that is also developing a payment-processing app for the business space it works within. Because they're developing a true native application for iOS, they're going to be developing with the SecureData Web SDK that’s been released for mobile devices, which will certainly be much easier.

Gardner: Chris, we hear a lot of times that security is a cost center, that people don’t necessarily see it as a way of bolstering business value or growing revenue streams. It sounds like when you can employ some of these technologies, create a better posture, it frees you up, it makes you able to innovate and transform. Has that been the case with you? Can you point to any ways in which you've actually been able to increase revenue? I know that for airlines it’s a fairly tight margin on the travel, but some of those ancillary services can be a make or break; is that the case here?

Unbundled travel

Gullett: Allegiant is a leader in what we call unbundled travel; we would rather sell you exactly what you want. When an airline says that they offer free bags, for example, they're not offering you free bags. It does cost to put those bags in the hold, to put those bags in the overhead and carry those bags on the plane with you. There is weight, and then that costs fuel. So, there is an expense associated with every aspect of your travel on an airline today; that’s just the way it is.

Allegiant’s unbundled services allow us to say to a traveler, “Well, sure, if you want to get on the plane and you want to bring something and put it under the seat, we'll sell you a seat on the plane. If you want to bring 40 pounds of baggage to put in the hold, we'll charge for that,” because not everybody wants to bring a 40-pound bag to put in the hold.

The thing about Allegiant with its proprietary application that runs the airline is that if we see an opportunity to offer a new service to the customer or a new ancillary service to the customer, we don't have to go to a third-party and say, would you please add this so we can offer this feature to the customer; we can just do it.
We were able to implement the necessary controls with the HPE products in about three months, with about one-and-a-half FTEs.

At the time, we were worrying about PCI compliance and how we were going to accomplish PCI compliance, we also had a project to begin charging for carry-on bags, the bags that go up in the overhead. We could either spend a lot of time retrofitting the legacy app for PCI or we could spend time generating revenue by offering this new feature to the customer that they would be charged for carry-on bags up in the overhead.

The seats on the plane, everything associated with the airline, have a very quick expiration date. When the plane takes off, an empty seat has no value and it will have no value ever again. When a seat takes off empty, we can’t sell that person a Coke, we can’t sell them a bag, we can’t sell them a [rental] car, we can’t sell them a hotel room; that's gone forever. So, speed to market is incredibly important for the airline industry and it may be more important for Allegiant.

In the case of our travails on PCI and how we were going to solve our PCI-compliance issue, we wanted to be able to add this feature to charge for carry-on bags. So now you have a choice. Do you spend a lot of time integrating and cleaning up legacy apps for PCI? Do you move ahead with something that could bring in millions of dollars in revenue? The answer, of course is that you have to be compliant with PCI. So, we have to do that first.

The fact that we were able to implement the necessary controls with the HPE products in about three months, with about one-and-a-half FTEs, meant that other application developers could spend time on that carry-on bag feature in our software, allowing us to go to market with that sooner than we would have otherwise.

Now, if you look at the fact that we went to market three months earlier than we would have normally, if we had spent three months of stopping everything to do nothing but PCI compliance. Instead, we were able to use that time to develop carry-on bag charging services, that is millions of dollars that would never have been captured in any other way, because it expires, it’s gone. Once the plane leaves the ground, you can’t charge anymore.

So there was a real delivery to the bottom line as far as a profitable feature was concerned by being able to roll out that carry-on bags feature sooner. We had a much easier, quicker, and lower resource-intensity standpoint ability to integrate, using the HPE Security products.

Where next?

Gardner: So going back to our opening sentiment around the fact that you can’t just wall off data, meaning the more data, the better for your business and the more places that data can get to, the better. You've demonstrated that that’s also core to business innovation, such as growing revenue in new ways, and being agile and adaptive to very competitive markets. That’s a very interesting example.

Before we sign off, Chris, where do you go next? How do you think your security steps so far have enabled you to be more fleet, more agile, and perhaps find other business benefits?

Gullett: There is no substitute for delivering innovative solutions to problems that are well-known throughout the business, and helping that to build your credibility with the executives and the board of directors. Certainly, the solution to our PCI-compliance issues, which did get a lot of exposure to the company’s executives and the board, by being able to solve that quickly and without an impact to the operations of the airline, that brought information security awareness to a level that we had not previously enjoyed at the airline.

Although, if you talk to our executives and our board, they're going to tell you information security is very important, and I believe they believe that. The fact that you can demonstrate that you can deliver solutions that don't break the bank and do what they say they do, means a lot.

Going back to that three-legged stool, technology and the HPE Security products that we implemented for PCI are just one part. For example, if the folks aren't handling the credit cards properly or if they're not adequately protecting the data that they have on their mobile devices out in the field, our risk is just as great as a credit-card data breach would have been before we had implemented the tokenization. These are all things we kind of worry about.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Gardner:. I'm afraid we'll have to leave it there. We've been discussing how airline Allegiant Air solved their PCI problem and got a whole lot better security and business culture as well. And we have seen how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits.

So join me in thanking our guest, Chris Gullett, Director of Information Assurance at Allegiant Air in Las Vegas. Thanks so much, Chris.

Gullett: Thanks, Dana. I appreciate it, and enjoyed the time with you today.

Gardner: I would like to thank our audience as well for joining us for this Hewlett Packard Enterprise Voice of the Customer security transformation discussion.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of HPE-sponsored discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

Thursday, July 07, 2016

How European GDPR Compliance Enables Enterprises to Both Gain Data Privacy and Improve their Bottom Lines

Transcript of a discussion on Europe's new data-privacy regulation and how it can be turned to a competitive business advantage.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Gardner
Today, we present a sponsored podcast discussion on the implications of the European Parliament’s recent approval of the General Data Protection Regulation or GDPR.

This sweeping April 2016 law establishes a fundamental right to personal data protection for European Union (EU) citizens. It gives enterprises that hold personal data on any of these people just two years to reach privacy compliance -- or face stiff financial penalties.

But while organizations must work quickly to comply with GDPR, the strategic benefits of doing so could stretch far beyond data-privacy issues alone. Attaining a far stronger general security posture -- one that also provides a business competitive advantage -- may well be the more impactful implication.
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
We're now joined by three cybersecurity and legal experts to explore the new EU data privacy regulation and discuss ways that companies can begin to extend these needed compliance measures into essential business benefits.

Here to help us sort through the practical path of working within the requirements of a single digital market for the EU are Tim Grieveson, Chief Cyber and Security Strategist, Enterprise Security Products EMEA, at Hewlett Packard Enterprise (HPE). Welcome, Tim.

Tim Grieveson: Hi, great to be here.

Gardner: We're also here with David Kemp, EMEA Specialist Business Consultant at HPE. Good to have you with us, David.

David Kemp: Thank you very much, and I appreciate the opportunity to share our experiences, especially thanks to our relationship with PwC Legal.

Gardner: And we are here, too, with Stewart Room, Global Head of Cybersecurity and Data Protection at PwC Legal. Welcome, Stewart.

Stewart Room: Thanks, Dana. It’s great to be here.

Gardner: Tim, let’s begin with you and perhaps focus on the positive side of this. The GDPR could mean significant financial penalties in less than two years if organizations don’t protect all of their targeted data. But how can large organizations look at this under a larger umbrella, perhaps looking at this as a way of improving their own security posture?

Review Security

Grieveson: It’s a great opportunity for organizations to take a step back and review the handling of personal information and security as a whole. Historically, security has been about locking things down and saying no.

Grieveson
We need to break that mold. But, this is an opportunity, because it’s pan-European, to take a step back, look at the controls that we have in place, look at the people, look at the technology holistically, and look at identifying opportunities where we can help to drive new revenues for the organization, but doing it in a safe and secure manner.

Gardner: David, is there much difference between privacy and security? If one has to comply with a regulation, doesn’t that also give them the ability to better master and control their own internal destiny when it comes to digital assets?

Kemp: Well, that’s precisely what a major European insurance company headquartered in London said to us the other day. They regard GDPR as a catalyst for their own organization to appreciate that the records management at the heart of their organization is chaotic. Furthermore, what they're looking at, hopefully with guidance from PwC Legal, is for us to provide them with an ability to enforce the policy of GDPR, but expand this out further into a major records-management facility.

Gardner: And Stewart, wouldn’t your own legal requirements for any number of reasons be bolstered by having this better management and privacy capability?

Room: The GDPR obviously is a legal regime. So it’s going to make the legal focus much, much greater in organizations. The idea that the GDPR can be a catalyst for wider business-enabling change must be right. There are a lot of people we see on the client side who have been waiting for the big story, to get over the silos, to develop more holistic treatment for data and security. This is just going to be great -- regardless of the legal components -- for businesses that want to approach it with the right kind of mindset.

Kemp: Just to complement that is a recognition that I heard the other day, which was of a corporate client saying, "I get it. If we could install a facility that would help us with this particular regulation, to a certain extent relying once again on external counsel to assist us, we could almost feed any other regulation into the same engine."

Kemp
That is very material in term of getting sponsorship, buy in, interest from the front of the business, because this isn’t a facility just simply for this one, particular type of regulation. There’s so much more that could be engaged on.

Room: The important part, though, is that it’s a cultural shift, a mindset. It’s not a box-ticking exercise. It’s absolutely an opportunity, if you think of it in that mindset, of looking holistically. You can really maximize the opportunities that are out there.

Gardner: And because we have a global audience for our discussion, I think that this might be the point on the arrow for a much larger market than the EU. Let’s learn about what this entails, because not everyone is familiar with it yet. So in a nutshell, what does this new law require large companies to do? Tim, would you like to take that?

Protecting information

Grieveson: It’s ultimately about protecting European citizens' private and personal information. The legislation gives some guidance around how to protect data. It talks about encryption and anonymization of the information, should that inevitable breach happen, but it also talks about how to enable a quicker response for a breach.

To go back to David’s point earlier on, the key part of this is really around records management. It’s understanding what information you have where and classifying that information. What you need to do with it is key to this, ultimately because of the bad guys out there. In my world as an ex-CIO and as an ex-CISO, I was always looking to try and protect myself from the bad guys who were changing their process to monetize.

They're ultimately out to steal something, whether it be credit card information, personal information, or intellectual property (IP). Organizations often don’t understand what information they have where or who owns it, and quite often, they don’t actually value that data. So, this is a great approach to help them do that.

Gardner: And what happens if they don’t comply? This is a fairly stiff penalty.

Grieveson: It is. Up to four percent of the parent company’s annual revenue is exposed as part of a fine, but also there's a mandatory breach notification, where companies need to inform the authorities within 72 hours of a breach.
We're seeing that trend going in the wrong direction. We're seeing it getting more expensive. On average, a breach costs in excess of $7.7 million, but we are also seeing the time to remediate going up.

If we think of the Ponemon Report, the average time that the bad guy is inside an organization is 243 days, so clearly that’s going to be challenge for lots of organizations who don’t know they have been breached, but also that remediation afterwards once that inevitable breach happens, on average, globally, is anywhere from 40 to 47 days.

We're seeing that trend going in the wrong direction. We're seeing it getting more expensive. On average, a breach costs in excess of US$7.7 million, but we are also seeing the time to remediate going up.

This is what I talked about with this cultural change in thinking. We need to get much smarter about understanding the data we have and, when we have that inevitable breach, protecting the data.

Gardner: Stewart, how does this affect companies that might not just be based in the EU countries, companies that deal with any customers, or supply chain partners, alliances, the ecosystem. Give us a sense of the concentric circles of impact that this pertains to inside the EU and beyond?

Room: Yes, the law has global effect. It’s not about just regulating European activities or protecting or controlling European data. The way it works is that any entity or data controller that’s outside of Europe and that targets Europe for goods and services will be directly regulated. It doesn’t need to have an establishment, a physical presence, in Europe. It targets the goods and services. Or, if that entity pre-files and tracks the activity of European citizens on the web, they're regulated as well. So, there are entities that are physically not in Europe.

Any entity outside of Europe that receives European data or data from Europe for data processing is regulated as well. Then, any entity that’s outside of Europe that exports data into Europe is going to be regulated as well.

So it has global effect. It’s not about the physical boundaries of Europe or the presence only of data in Europe. It’s whether there is an effect on Europe or an effect on European people’s data.

Fringes of the EU

Kemp: If I could add to that, the other point is about those on the fringes of the EU, because that is where this is originating from, places such as Norway and Switzerland, and even South Africa, with the POPI legislation. These countries are not part of the EU, but as Stewart was saying, because a lot of their trade is going through the EU, they're adopting local regulation in order to mirror it in order to provide a level playing field for their corporate.

Gardner: And this notion of a fundamental right to personal data protection, is that something new? Is that a departure and does that vary greatly from country to country or region to region?

Room: This is not a new concept. The European data-protection law was first promulgated in the late 1960s. So, that’s when it was all invented. And the first European legislative instruments about data privacy were in 1973 and 1974.

Room
We've had international data-protection legislation in place since 1980, with the OECD, the Council of Europe in 1981, the Data Protection Directive of 1995. So, we're talking about stuff that is almost two generations old in terms of priority and effect.

The idea that there is a fundamental right to data protection has been articulated expressly within the EU treaties for a while now. So, it’s important that entities don’t fall into the trap of feeling that they're dealing with something new. They're actually doing something with a huge amount of history, and because it has a huge amount of history, both the problems and the solutions are well understood.

If the first time that you deal with data protection, you feel that this is new, you're probably misaligned with the sophistication of those people who would scrutinize you and be critical of you. It's been around for a long time.

Grieveson: I think it’s fair to say there is other legislation as well in certain industries that make some organizations much better prepared for dealing with what’s in the new legislation.

For example, in the finance industry, you have payment card industry (PCI) security around credit-card data. So, some companies are going to be better prepared than others, but it still gives us an opportunity as an auditor to go back and look at what you have and where it fits.

Gardner: Let’s look at this through the solution lens. One of the ways that the law apparently makes it possible for this information to leave its protected environment is if it’s properly encrypted. Is there a silver bullet here where if everything is encrypted, that solves your problem, or does that oversimplify things?

No silver bullet

Grieveson: I don’t think there is a silver bullet. Encryption is about disruption, because ultimately, as I said earlier, the bad guys are out to steal data, if I come from a cyber-attack point of view, and even the most sophisticated technologies can at some point be bypassed.

But what it does do is reduce that impact, and potentially the bad guys will go elsewhere. But remember, this isn't just about the bad guys; it’s also about people who may have done something inadvertently in releasing the data.

Encryption has a part to play, but it’s one of the components. On top of that, you have technology around having the right people and the right process, having the data-protection officer in place, and training your business users and your customers and your suppliers.

The encryption part isn't the only component, but it’s one of the tools in your kit bag to help reduce the likelihood of the data actually being commoditized and monetized.
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
Gardner: And this concept of the personally identifiable information (PII), how does that play a role, and should companies that haven't been using that as an emphasis perhaps rethink the types of data and the types of identification with it?

Room: The idea of PII is known to US law. It lives inside the US legal environment, and it’s mainly constrained to a number of distinct datasets. My point is that the idea of PII is narrow.

The [EU] data-protection regime is concerned with something else, personal data. Personal data is any information relating to an identifiable living individual. When you look at how the legislation is built, it’s much, much more expansive than the idea of PII, which seems to be around name, address, Social Security number, credit-card information, things like that, into any online identifier that could be connected to an individual.

The human genome is an example of personal data. It’s important that listeners in a global sense understand the expansiveness of the idea or rather understand that the EU definition of personal data is intended to be highly, highly expansive.

Gardner: And, David Kemp, when we're thinking about where we should focus our efforts first, is this primarily about business-to-consumer (B2C) data, is it about business to business (B2B), less so or more so, or even internally for business to employee (B2E)? Is there a way for us to segment and prioritize among these groups as to what is perhaps the most in peril of being in violation of this new regulation?

Commercial view

Kemp: It’s more a commercial view rather than a legal one. The obvious example will be B2C, where you're dealing with a supermarket like Walmart in the US or Coop or Waitrose in Europe, for example. That is very clearly my personal information as I go to the supermarket.

Two weeks ago I was listening to the head of privacy at Statoil, the major Norwegian energy company, and they said we have no B2C, but in fact, even just the employee information we have is critical to us and we're taking this extremely seriously as the way in which we manage that.

Of course, that means this applies to every single corporate, that it is both an internal and an external aggregation of information.

Grieveson: The interesting thing is, as digital disruption comes to all organizations and we start to see the proliferation and the tsunami of data being gathered, it becomes more of a challenge or an opportunity, depending on how you look at that. Literally, the new [business] perimeter is on your mobile phone, on your cellphone, where people are accessing cloud services.
As digital disruption comes to all organizations and we start to see the proliferation and the tsunami of data being gathered, it becomes more of a challenge or an opportunity, depending on how you look at that.

If I use the British Airways app, for example, I'm literally accessing 18 cloud services through my mobile phone. That then, makes it a target for that data to be gathered. Do I really understand what’s being stored where? That’s where this really helps, trying to formalize what information is stored where and how it is being transacted and used.

Gardner: On another level of segmentation, is this very much different for a government, or public organization, versus a private? There might be some verticals industries like finance or health, where they've become accustomed to protecting data, but does this have implications for the public sector as well?

Room: Yes, the public sector is regulated by this. There's a separate directive that’s been adopted to cover policing and law enforcement, but the public sector has been in scope for a very long time now.

Gardner: How does one go about the solution on a bit more granular level? Someone mentioned the idea of the data-protection officer. Do we have any examples or methodologies that make for a good approach to this, both at the tactical level of compliance but also at the larger strategic level of a better total data and security posture? What do we do, what’s the idea of a data-protection officer or office, and is that a first step -- or how does one begin?

Compliance issue

Room: We're stressing to entities that data [management] view. This is a compliance issue, and there are three legs to the stool. They need to understand the economic goals that they have through the use of data or from data itself. So, economically, what are they trying to do?

The second issue is the question of risk, and where does our risk appetite lie in the context of the economic issues? And then, the third is obligation. So, compliance. It’s really important that these three things be dealt with or considered at the very beginning and at the same time.

Think about the idea simply of risk management. If we were to look at risk management in isolation of an economic goal, you could easily build a technology system that doesn’t actually deliver any gain. A good example would be personalization and customer insights. There is a huge amount of risk associated with that, and if you didn’t have the economic voice within the conversation, you could easily fail to build the right kind of insight or personalization engine. So, bringing this together is really important.

Once you've brought those things together in the conversation, the question is what is your vision, what’s your desired end-state, what is it that you're trying to achieve in light of those three things? Then, you build it out from there. What a lot of entities are doing is making tactical decisions absent the strategic decision. We know that, in a tactical sense, it’s incredibly important to do data mapping and data analysis.
Once you've brought those things together in the conversation, the question is what is your vision, what’s your desired end state, what is it that you're trying to achieve in light of those three things? Then, you build it out from there.

We feel at PwC that that’s a really critical step to take, but you want to be doing that data mapping in the context of a strategic view, because it affects the order of priority and how you tackle the work. So, some non-obvious matters will become clearer than data mapping might be if you take the proper strategic view.

A specific example of that would be complaint handling. Not many people have complaint handling on the agenda -- how we operate inside the call center, for instance. If people are cross, it's probably a much more important strategic decision in the very beginning than some of the more obvious steps that you might take. Bringing those things forward and having a desired vision for a desired end-state will tell you the steps that you want to take and mold.

Gardner: Tim, this isn’t something you buy out of a box. The security implications of being able to establish that a breach has taken place in as little 72 hours sounds to me like it involves an awful lot more than a product or service. How should one approach this from the security culture perspective, and how should one start?

Grieveson: You're absolutely right. This is not a single product or a point solution. You really have to bake it into the culture of your organization and focus not just on single solutions, but actually the end-to-end interactions between the user, the data, and the application of the data.

If you do that, what you're starting to look at is how to build things in a safe, secure manner, but also how do you build them to enable your business to do something? There's no point in building a data lake, for example, and gathering all this data unless you actually have from that data some insight, which is actionable and measured back to the business outcomes.

I actually don't use the word “security” often when I am talking to customers. I'll talk about "protection," whether that's protection of revenue or growing new markets. I put it into business language, rather than using technology language. I think it’s the first thing, because that puts people off.

What are you protecting?

The second thing is to understand what is it that you're going to protect and why, where does it reside, and then stop to build the culture from the top down and also from the bottom up. It’s not just the data protection office's problem or issue to deal with. It’s not just the CIO or the CISO, but it’s building a culture in your organization where it becomes normal everyday business. Good security is good business.

Once you've done that, this is not a project; it’s not do it once and forget it. It’s really around building a journey, but this is an evolving journey. It’s not just a matter of doing it, getting to the point where you have that check box to say, yes, you are complying. It’s absolutely around continuing to look at how you're doing your business, continuing to look at your data as new markets come on or new data comes on.

You have to reassess where you are in this structure. That’s really important, but the key thing for me is that if you focus on that data and those interactions, you have less of a conversation about the technology. The technology is an enabler, but you do need a good mix of people, process, and technology to deliver good security in a data-driven organization.
The technology is an enabler, but you do need a good mix of people, process, and technology to deliver good security in a data-driven organization.

Gardner: Given that this cuts across different groups within a large organization that may not have had very much interaction in the past -- given that this is not just technology but process and people, as Tim mentioned -- how does the relationship between HPE and PwC come together to help organization solve this? Perhaps, you can describe the alliance a bit for us.

Kemp: I'm a lawyer by profession. I very much respect our ability to collaborate with PwC, which is a global alliance [partner] of ours. On the basis of that, I regard Stewart and his very considerable department as providing a translation of the regulation into deliverables. What is it that you want me to do, what does the regulation say? It may say that you have to safeguard information. What does that entail? There are three major steps here.

One, is the external counsel guidance on what the regulation means into set of deliverables.

Secondly, a privacy audit. This has been around in terms of a cultural concept since the 1960s. Where are you already in terms of your management of PII? When that is complete, then we can introduce the technology that you might need in order to make this work. That is really where HPE comes in. That’s the sequence.

Then, if we just look very simply at the IT architecture, what’s needed? Well, as we said right at the beginning, my view is that this is under the records management coherence strategy in an organization. One of the first things is, can you connect to the sources of data around your organization, given that most entities have grown up by acquisition and not organically? Can you actually connect to and read the information where it is, wherever it is around the world, in whatever silo?

For example, Volkswagen, had a little problem in relation to diesel emissions, but one of the features there is not so much how do they defend themselves, but how do they get to the basic information in many countries as to whether a particular sales director knew about this issue or not.

Capturing data

So, connectivity is one point. The second thing is being able to capture information without moving it across borders. That's where [data] technology, which handles the metadata of the basic components of a particular piece of digital information, [applies] and can [the data] be captured, whether it is structured or unstructured. Let’s bear in mind that when we're talking about data, it could be audio or visual or alphanumeric. Can we bring that together and can we capture it?

Then, can we apply rules to it? If you had to say in a nutshell what is HPE doing as a collaboration with PwC, we're doing policy enforcement. Whatever Stewart and his professional colleagues advise in relation to the deliverables, we are seeking to affect that and make that work across the organization.

That's an easy way to describe it, even to non-technical people. So, General Counsel, Head of Compliance or Risk, they can appreciate the three steps of the legal interpretation, the privacy audit, and then the architecture. Then, second, this building up of the acquisition of information in order to be able to make sure that the standards that are set by PwC are actually being complied with.
If you had to say in a nutshell what is HPE doing as a collaboration with PwC, we're doing policy enforcement.

Gardner: We're coming up toward the end of our time, but I really wanted to get into some examples to describe what it looks like when an organization does this correctly, what the metrics of success are. How do you measure this state of compliance and attainment? Do any of you have an example of an organization that has gone through many of these paces, has acquired the right process, technology and culture, and what that looks like when you get there?

Room: There are various metrics that people have put in place, and it depends which principles you're talking about. We obviously have security, which we've spoken about quite a lot here, but there are other principles: accuracy, retention, delete, transfers, and on and on.

But one of the metrics that entities are putting in, which is non-security controlled, is about the number of people who are successfully participating in training sessions and passing the little examination at the very end. The reason that key performance indicator (KPI) is important is that during enforcement cases, when things go wrong -- and there are lots and lots of these cases out there -- the same kind of challenges are presented by the regulators and by litigants, and that's an example of one of them.

So, when you're building your metrics and your KPIs, it's important to think not just about the measures that would achieve operational privacy and operational security, but also think about the metrics that people who would be adverse to you would understand: judges, regulators, litigants, etc. There are essentially two kinds of metrics, operational results metrics, but also the judgment metrics that people may apply to you.

Gardner: At HPE, do you have any examples or perhaps you can describe why we think that doing this correctly could get you into a better competitive business position? What is it about doing this that not only allows you to be legally compliant, but also puts you in an advantageous position in a market and in terms of innovation and execution?

Biggest sanction

Kemp: If I could quote some of our clients, especially in the Nordic Region, there are about six major reasons for paying strict and urgent attention to this particular subject. One of them, listening to my clients, has to do with compliance. That is the most obvious one. That is the one that has the biggest sanction.

But there are another five arguments -- I won't go into all of them -- which have to do with advancement of the business. For example, a major media company in Finland said, if we could only be able to say on our website that we were GDPR-compliant that would increase materially the customer belief in our respect for their information, and it would give us a market advantage. So it's actually advancing the business.

The second aspect, which I anticipated, but I've also heard from corporations, is that in due course, if it's not here already, there might be a case where governments would say that if you're not GDPR compliant, then you can’t bid on our contracts.

The third might be, as Tim was referring to earlier, what if you wanted to make best use of this information? There’s even a possibility of corporations taking the PII, making sure it's fully anonymous or pseudo-anonymized, and then mixing it with other freely available information, such as Facebook, and actually saying to a customer, David, we would like to use your PII, fully anonymized. We can prove to you that we have followed the PwC legal guidance. And furthermore, if we do use this information and use it for analytics, we might even want to pay you for this. What are you doing? You are increasing the bonding and loyalty with your customers.
In due course, if it's not here already, there might be a case where governments would say that if you're not GDPR compliant, then you can’t bid on our contracts.

So, we should think about the upsides of the business advancement, which ironically is coming out of a regulation, which may not be so obvious.

Gardner: Let’s close out with some practical hints as to how to get started, where to find more resources, both on the GDPR, but also how to attain a better data privacy capability. Any thoughts about where we go to begin the process?

Kemp: I would say that in the public domain, the EU is extremely good at promulgating information about the regulation itself coming in and providing some basic interpretation. But then, I would hand it on to Stewart in terms of what PwC Legal is already providing in the public domain.

Room: We have two accelerators that we've built to help entities go forward. The first is our GDPR Readiness Assessment Tool (RAT), and lots of multinationals run the RAT at the very beginning of their GDPR programs.

What does it do? It asks 70 key questions against the two domains of operation and legal privacy. Privacy architecture and privacy principles are mapped into a maturity metric that assesses people’s confidence about where they stand. All of that is then mapped into the articles and recitals of the GDPR. Lots of our clients use the RAT.

The second accelerator is the PwC Privacy and Security Enforcement Tracker. We've been tracking the results of regulatory cases and litigation in this area over many years. That gives us a very granular insight into the real priorities of regulators and litigants in general.

Using those two tools at the very beginning gives you a good insight into where you are and what your risk priorities are.

Gardner: Last word to you, Tim. Any thoughts on getting started -- resources, places to go to get on your journey or further along?

The whole organization

Grieveson: You need to involve the whole organization. As I said earlier on, it’s not just about passing it over to the data-protection officer. You need to have the buy-in from every part of the organization. Clearly, working with organizations who understand the GDPR and the legal implications, such as the collaboration between PwC and HPE, is where I would go.

When I was in the seat as a CISO, I'm not a legal expert, so one of the first things that I did was go and get that expertise and brought it in. Probably the first place I would start is getting buy-in from the business and making sure that you have the right people around the table to help you on the journey.
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
Gardner: I'm afraid we will have to leave it there. We've been discussing the implications of the European Parliament’s recent approval of the General Data Protection Regulation or GDPR. And we have heard how attaining a far stronger general security posture -- one that also provides a competitive business advantage -- may well be among the most impactful beneficial consequences of this new regulation.

So please join me now in thanking our guests, Tim Grieveson, Chief Cyber and Security Strategist, Enterprise Security Products EMEA, at HPE; David Kemp, EMEA Specialist Business Consultant, also at HPE, and Stewart Room, Cybersecurity and Data Protection at PwC Legal.

And a big thank you as well to our audience for joining us for this HPE-sponsored security market transformation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of practical business benefits discussions. Thanks again for listening and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on Europe's new data-privacy regulation and how it can be turned to a competitive business advantage. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in: