On episode 30 of Coffee Chat with CastleHill, Tim Carbery is joined by Ashish Shrowty and Constantine Karbaliotis to discuss data privacy and its status as an enterprise priority for companies internationally. Shrowty also demonstrates how his company, Divebell, will assist organizations in automating their data privacy platform.
Ashish Shrowty trained as an engineer before spending over twenty-five years in the tech industry. In that time, he became well-versed in data management, building products and teams for finance and healthcare organizations. He is adept in information lifecycle management programs, data science programs, and held several leadership positions before co-founding Divebell, a company focused on intelligent data privacy.
Constantine Karbaliotis has worked in data privacy for nineteen plus years; or, as his tagline goes, “before data privacy was cool.” A lawyer based in Toronto with multinational experience in global privacy programs, as well as a stint as the chief privacy officer at Mercer, he is an expert in dealing with US and EU data privacy issues.
A DATA GOVERNANCE CURSE
The European General Data Protection Regulation is one of the critical modern advances in data security. Often noted for its role in driving accountability, transparency, data security and redefining data ownership, GDPR’s impact on information governance within and outside of the EU should not be understanded.
“GDPR has set the tone internationally for where countries are going with their laws,” States Karbaliotis.
Prior to GDPR, a person “would have expected that companies would be able to tell somebody what they know about you, be able to tell you where the data is, how its flowing, and yet: that’s not really possible,” he explains.
“Companies finally had to get their act together to be able to respond to the legal requirements. To do most of the things that are required by that law, you actually have to know where your data is.”
Companies’ scramble to ensure their GDPR-compliance created a unique opportunity for the individual consumer to become significantly more educated on privacy regulation. Over the past few years, this information has precipitated a shift in data governance from a corporate-centric view to an individual-centric view of data.
“There is no question that the spam we all received in 2018, saying, ‘Can we keep writing to you for GDPR,’ educated the whole planet in a way that privacy professionals have never been able to – because, of course, it would have been against the law,” Notes Karbaliotis. “Consumer expectations are as much a driver now as the laws are.”
Numerous components complicate a company’s ability to effectively govern the customer/consumer data they manage. Company turnover, legacy processes and spotty internal controls, combined with poor documentation, leave many organizations burdened with clunky interfaces and mysterious data caches that dramatically increase their risk.
“If you don’t know where your data is and what it is, it’s very hard to respond to, for instance, an individual’s data subject access requests,” Points out Karbaliotis. “What do I know about John Doe? When they, as they are entitled to under many laws, ask, ‘What do you know about me? Could you not sell it? Could you please delete it?’ Those fundamental things, because our information governance has been so poor, have been difficult for companies to implement.”
“Systems get built and the people who built it leave. You don’t have any documentation, things just sort of grow haphazardly through your organization, and then we have spaghetti – we’re trying to figure out how things thread together.”
GDPR implicates third-party management, as well. Smaller organizations linked to larger businesses are held to the same expectations of data governance, impacting the entire supply chain.
“For many businesses who are now tied to big companies, those expectations are getting passed down by contract… because supply chain is really how data is percolating out,” Karbaliotis says of the implications GDPR has for third-party risk management. “That’s a profound change now, for organizations. Before, it was just compliance— nobody wants to spend money on compliance.”
“Well, the Europeans know that,” He laughs, “and that’s why they made the fines as big as they are. When revenue is at stake, companies are paying attention.”
“It’s an nth party problem,” Agrees Carbery. “It is a full supply change problem, and with the proliferation of cloud technologies and capabilities, that is a blessing and, in some cases, a data governance curse.”
DIVEBELL
In the slurry of changing regulations, modified contractual clauses, and innumerable technologies through which data may be collected and stored, it is difficult to fathom how any one company can elegantly track and maintain its understanding of where data resides. Divebell offers a solution for organizations seeking to improve the effectiveness of their data governance and privacy activities.
The initiative behind Divebell was fueled by a common frustration in the world of data privacy. Shrowty outlines a not-so hypothetical situation from his own experiences: “The constant theme that we hear is: I am being asked to attest to what kind of information exists in all of this data that I have, which is moving and changing every day. It’s my name on that spreadsheet that is going up to the regulators.”
“It’s frustrating,” He emphasizes. “I am challenged, because if I don’t know that information, and, god forbid, if I give out the wrong information, it’s my neck on the line.”
Initial attempts to mature data governance and privacy management focused on automating the workflow, a pursuit that ultimately fell flat. “To us, that’s not really automation,” says Shrowty. “The hard part is doing a rapid survey of all the data landscape that is out there, which, by the way, is growing. Data is growing like crazy with cloud, all these macro forces that are enabling companies to store a massive amount of information.”
Divebell automates data governance and privacy management by creating a system that allows officers stakeholders to quickly and efficiently locate answers to their most fundamental – and pressing – questions.
“The thing you really have to automate is the process of figuring out where the information is, what kind of information it is, who is accessing this information, where it is flowing – these are the tough questions that you need to be able to answer effectively and continuously,” he states. “There are new technologies, new techniques, and we strongly believe that it is doable. That it is where the force of technology should be employed, to understand where the data is.”
To aid clients in understanding their data, Divebell has curated a streamlined process that offers companies a without a significant impact on their day-to-day operations.
“Divebell has the ability to deploy what we call ‘sensors’ in a lightweight fashion so that you are able to do a data survey in an automated fashion,” Shrowty explains. Divebell is designed with three crucial elements of data management in mind: the ability to selectively scan data; the ability to manage data within the boundaries of the organization; and a highly sophisticated system aimed at weeding out ‘false positives.’
“This industry has been plagued by false positives,” He sighs. “When you are trying to find out what kind of information exists, there is always that accuracy problem… we pride ourselves on a lot of investment that we have put into a very accurate detection techniques and classification techniques.”
“One of our principles at Divebell is that we want to enable organizations to use data to drive the business forward – but how can we help them be responsible and better custodians of that data?” Shrowty concludes. “Data governance has been around for a while, but for the longest time, it has taken a backseat. Now, with the focus on customer data rights, privacy and security, being in this umbrella of data governance, it’s getting a new push to say: yeah, we are going to use this data, but we are going to do it responsibly, and we need to have the appropriate controls in place to make sure that the pipeline is moving in an appropriate manner.”
CastleHill can help you to integrate your data governance and privacy management risk management. Whether it’s linking your GRC policies and procedures into Divebell as part of the scan, driving remediation of policy and regulatory breaches or just ensuring that the overall process is integrated with your GRC platform, CastleHill can help to mature your data governance and privacy management capabilities.
Hear more about the future of data privacy, Divebell, and integrating with broader risk management at: Coffee Chat with CastleHill | Episode #30: Data Privacy; Data is a Risky Asset – YouTube or email us at info@castlehillrisk.com
To learn more about Divebell, visit them at: www.divebell.com