As GDPR looms as a stimulus for better data privacy management, Crispen Maung of Box outlines the potential blind spots organizations may be missing.
As the vice president of Data Protection and Compliance for Box (an enterprise content management platform that serves nearly 70% of the Fortune 500), Crispen Maung helps ensure the company’s data management framework remains compliant with the most recent data protection regulations. Given the work that Box does in helping companies move to cloud-based data management, we asked Crispen to comment on the challenges and opportunities he is seeing with GDPR and to share his thoughts on what companies need to be aware of in their data protection efforts.
ANSWERS: What do you see as the most daunting GDPR readiness challenges and risks that corporations and other data controllers are facing?
CRISPEN MAUNG: I think the biggest challenges for data controllers are that they really need to understand what data they have and where it is spread or located within the systems that they are using. The challenge is further complicated by legacy systems, the proliferation of cloud computing solutions that have been implemented without a defined strategy, or more critically, security or compliance review. In a nutshell, it’s “shadow IT.”
As a data controller, you need to understand not only where that data is and how secure it is, but also have to know how that data is being used within and outside of your organization if you leverage third parties to provide IT solutions.
ANSWERS: What special considerations in handling data privacy do you have to contend with as a cloud content management company (aka data processor)?
MAUNG: From our perspective, it’s key to make sure that any cloud computing company that we leverage is an “enterprise” cloud provider and that the controls the provider has in place are enterprise grade. What I mean by that is making sure that the provider has robust and appropriate controls in place for data security and privacy throughout its infrastructure and operational processes. Additionally, as a controller you have to ensure that you can configure the cloud solution to meet your own interpretation of GDPR based on your analysis of the data types you are dealing with and your own company risk appetite.
An enterprise solution can be configured by you in many different ways, giving a customer an infinite number of possibilities of potential data protection failure vectors. Therefore, as long as the enterprise cloud provider has the necessary data protection controls in place then the risk moves to how a company implements the solution.
Additionally, data controllers that want to leverage an enterprise cloud solution also need to ensure that the provider is only using the data in the provision of the service. Data controllers often assume this is the case but they really need to ask questions around the topic of data usage. A lot of data controllers are not bringing this up at the moment because they’re not aware or they don’t have the experience in this space to be asking that question of an enterprise cloud provider.
ANSWERS: What advantages does the cloud provide versus on premise in data privacy compliance?
MAUNG: Moving to the cloud becomes a forcing function for companies to upgrade their IT infrastructure and how they deliver technology solutions to their users. Companies want to reduce their operational costs associated with maintaining their own systems and get rid of silos of information that may reside in people’s servers. This could mean under desks, on desktops and on servers that they may be running locally. Cloud transformation enables a company to move all its data into a central system, helping controllers understand where their data is and if it’s securely managed. It also provides insights into how that data is being used and if it’s used appropriately.
Once you’ve gone through a transformation process like moving to the cloud there’s the opportunity to remove data from unsecure locations and delete data out of the organization if it’s no longer needed. This then helps companies run a clean shop in regards to personal information and data within the organization.
ANSWERS: How can companies use the advent of GDPR enforcement to their benefit in their data management capacities?
MAUNG: There are cost benefits associated with GDPR, such as reducing the overhead of inventory of systems that companies manage internally. In my experience, I’ve found many organizations are storing petabytes of unused data because they either don’t know where it is or think they need to store it; not because they actually need it. The sheer physical costs associated with maintaining those systems can be significantly reduced by cleaning up their data management.
Going through the process of understanding data and how your business uses it provides a fantastic opportunity to automate business processes. The ability to build bespoke applications on top of a cloud platform will enable organizations to deliver system-driven repeatable and error-proofed processes.
Our position is that undergoing GDPR data compliance will help companies redefine their businesses, resulting in huge operational performance gains while delivering unmatched data protection.
ANSWERS: From your vantage point, what is a ramification related to data privacy management that many industry watchers are failing to identify?
MAUNG: Many are looking at the information security side of it, which is the obvious (and very important) place to start. What is often missed is if a company’s data is only being used according to the provision of the service. That is the blind spot at the moment.
I think there is a misconception that processors would reach out to the customer and ask, “Are you okay with us using your data in another way for these other purposes?” In my view, many controllers aren’t questioning processors today. Controllers need to know how their data is being used, and at the very least ensuring that the data is only being used in the delivery of the agreed service or to enhance the service currently being delivered. If the data is used for other purposes, controllers need to be aware so they can stop it if needed.
Ultimately, the data controller should be demanding proof that providers are meeting the requirements of the terms you signed up for in the provision of the service. At the moment, I’m willing to bet there are very few processors that can actually prove that’s the case.
ANSWERS: Which industries do you see as being at greatest risk for data privacy exposure? What steps should they be taking now?
MAUNG: At the risk of sounding like an alarmist, in my view all industries are at risk. From what I’ve seen, industries that contain troves of sensitive information within their IT infrastructure have effective security controls around ensuring that data is appropriately secured. But echoing my earlier comments, the biggest issue will be knowing how that data is being used and if it being used in accordance with the expectations of the individual who owns that data.
In my mind the regulatory requirements associated with data usage have not been defined in sufficient detail. Therefore, what companies do with the data they have access to is concerning. So, it will be interesting to watch what happens in the world of big data and how data analytics will be commercialized.
As laws catch up with the digital era, data processors and their customers will have to be able to answer to regulators with absolute confidence about where theirs and their customer data is, how that data is being used, and if it is contractually agreed that the data can be used in that way. GDPR is a step in the right direction and a good model for other regions to consider. And the good news is that lots of companies have already started the process so they will be in a good position when the GDPR compliance deadlines approaches.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.