You’ve heard it all before. 

• Software is eating the world 
• Data is the new oil
• Monetize your digital assets

You believe how well a company uses and manages data is the key to 21st century competitiveness.

You might have even sent some colleagues a link to Andreesen’s Software is eating the world article.  No response. Many of us have fallen into the same trap. 

"Better, faster, cheaper doesn’t sell – With a world suffering from information overload, no one’s buying." 

Bottom line: With a technical value proposition, you must show, not tell.

Imagine if Henry Ford had sold his first car based on a pitch about his assembly line. Wouldn’t have gone over so well. Instead, he used assembly line’s technical value proposition (remember there were over 100 car manufacturers at the time) to create a car at a new price point. Instead of better, faster cheaper, the value proposition was –

“Now you can afford the same transportation as the rich”

What does this have to do with GDPR?

With 99 recitals, GDPR does many things, but a core underlying concept is Privacy by Design. What this means is that organizations with EU resident data need to design in privacy from the ground up. In other words, companies must get (a lot) better at controlling data. 

Unfortunately, this is just another version of the better, faster cheaper story: It doesn’t sell either to customers, or to other executives in the company.

Think about it – if your organization gets much better at handing data, what else can it do?  

If you’re a b2b marketing or financial payments company, you could extend your offerings to include data governance for your customer’s customer data. 

“Now you can afford the same data governance as the rich companies”

If you’re a commercial banker, you could avoid regulatory fines while finding the experiences millennial crave and create richer, experience-based customer engagement with your payment solutions.

“Now you can afford to be treated with the experiences you deserve”

The point is, even though ignoring the operational risks I mentioned in Part 1 of this article could land your organization on page 1, that pitch doesn’t win you friends (or customers) either inside or outside your organization (except, perhaps your CFO).

A better approach for legal, compliance & operational professionals

is to attempt to partner with the business to create new customer engagement, with richer experiences, more personalization and attack or create new markets with new business models. Like going to the gym, universal data governance is building new muscles and endurance. But sell the hike to Machu Pichu or the new girlfriend, not the long trips to the YMCA.

GDPR presents a trigger point: Don’t fall into the better, faster, cheaper trap. 

There’s a sad reality though –  most people who buy gym memberships never set foot in the gym a second time. The same is true with data governance/GDPR compliance. Given the short term thinking prevalent in so many organizations, many executives in these organizations are not interested in the heavy lifting required to put data governance in place as a catalyst for richer customer engagement and access to new markets. 

In that case, the right time to push for GDPR compliance in operations will be after the front-page article comes out, or after the organization is disrupted by digital natives like Amazon or Apple. At that point it will be too late of course…

This is the second part of a 2 part article on GDPR. You can find the 1st part here.

Learn more about how to how to solve for GDPR through automation at www.privops.com

Job well done, it's time to celebrate!

You've updated your cookie polices, your privacy notices, contracts & agreements. Brand new process documents are in place. It was quite the fire drill, but you're ready for GDPR. Time for some well deserved rest.

Then you get the call

A complaint was filed by someone who visited your website anonymously claiming they asked for all their data to be deleted under GDPR's Right to be Forgotten requirement and your company never provided a confirmation receipt. Now Ireland's ICO (information commissioner's office) has launched an investigation. "How is that possible, we don't even have an office in Ireland, and the user was anonymous for goodness sake!", your CEO remarks. After the investigation, it turns out that, even though you have documented processes and trained your employees, nearly 25% of the 200 or so monthly right to be forgotten, data portability, data access, and profiling opt-out requests were dropped. To make matters worse, a low level marketing manager provided thousand of customer records containing sensitive data to an marketing analytics startup that was promptly hacked. You didn't know about it, so you're also in violation of GDPR's 72 hour breach notification requirement.

The good news, the regulator tells you, is that you weren't deliberately avoiding compliance with GDPR. She probably uses the word "mitigating". Because of the "mitigating factors" they decide the penalty will be only 2% of your annual revenue or 325 Million Euros (instead of the maximum 4%)

But the damage is done. That low level marketing manager is gone, but because of the negative press, your EMEA revenue drops a startling 18%, you miss earnings, and your stock drops 35% over the ensuing months. Now Carl Icahn and Greenlight Capital have put up their own slate of board members and they've indicated they intend to take your company private. 1000s of people lose their jobs.

How is this possible?

This story is fictional, but it's a very real scenario that companies will face in the ensuing months and years. The reality is that GDPR is more than privacy notices and breach notification requirements, it's about protecting personal rights - and meeting those requirements requires highly effective processes. To be sure, updating your notices is required, but to protect your data, protect your customers, and protect your job, you need to make sure your operations can handle the processes GDPR requires.

Automation: A requirement for GDPR compliance

In part 2, I'll talk about how meeting GDPR compliance requirements can actually help your company disrupt the competition.
 

Hear Tyler Johnson's take on GDPR and the future of Fintech

Credit: BooDigital Here: https://boodigital.com/ https://twitter.com/talksdotcoffee https://www.facebook.com/coffeeshoptalks/ 

Just last week, I noted that the UK's Information Commissioner’s Office (ICO) closed its investigation into Facebook under GDPR (the EU's new data protection law) sharing personal data with WhatsApp who they acquired in  2014 when Facebook agreed that the Facebook and Whatsapp platforms would not share data. 

At the time I noted that this was a great example of GDPR's strategic company risk.  Sharing customer data is usually one of the primary reasons for M&A; without it, the value of such transactions is often dramatically reduced. I wonder how many CFOs are accounting for GDPR strategic risk in their M&A strategy. Probably not many.

Wow that was quick - It just got much worse for Facebook

I just watched Mark Zuckerberg's mea culpa about the Cambridge Analytica breach on CNN.  I believe he's "really sorry", there's no question his company is real trouble.

But did the activity carried on by Cambridge Analytica's Facebook user data constitute a security breach? In this case, hackers didn't compromise either FB or Cambridge Analytica, so one would have to argue that no, it wasn't a security breach.

A new concept (for some):  PRIVACY BREACH

In the US, the laws governing privacy are weak to non existent.  We're used to privacy notices being buried; an extensive data brokerage market exists where companies are free to sell your personal data for practically any use, including how much you pay for services, what job interviews you get, what ads you see and so on.

CIO.com:  Inside the Shadowy World of Data Brokers

But as Facebook is about to discover, that doesn't mean there isn't legal risk.  Lawsuits have already been announced. It's clear Facebook's troubles are just beginning.

For data privacy in the EU, things are quite different. There's no question that Cambridge Analytica's use of is a clear violation of GDPR.  Ireland and the UK have already both opened investigations.   The fines are likely to be tame since GDPR doesn't go into enforcement until May, but it's a near certainty EU regulators will find other ways to enforce a maximum penalty of 4% of Facebook's $40 Billion (about $1.6 Billion) . This pales in comparison to their brand risk, not to mention the risk the other 3rd parties have retained personal data scraped from Facebook and put (or will put) that information to use.

What's your risk that 3rd parties retained personal data your company gave them?

  How may EU citizens are likely to stop using Facebook altogether?  To understand this, let's talk about the EU consumer, and the cultural forces driving GDPR.

For many in the EU data privacy = Freedom

It's been explained to me that Europeans have a cultural memory of the Nazi "surveillance state"  and this is one of the primary reasons why Europeans take data privacy so seriously (EU friends, would love your thoughts below on this)  GDPR is notable, not because of the hefty fines, but because it makes control of personal data an individual right. 

The Facebook Cambridge Analytica privacy scandal is sure to strengthen this perception because of the Trump campaigns' use of personal data to manipulate voters (Democrats, you're not off the hook either - see this article). This makes the likelihood of GDPR action against US companies much more aggressive than it otherwise would have been. 

What can the US companies learn from the Facebook scandal?

While Facebook's situation is extreme compared to most US companies at present,  most companies collect significant amounts of sensitive personal data, and with that comes significant responsibility, and risk. 

GDPR is a major risk for companies with EU customers (or who otherwise handle EU resident data), but as the Facebook situation clearly demonstrates,  it's not just regulatory risk and it's not just in the EU. 

On one hand, we need this data to do a better job creating products and experiences customers want.  On the other hand, handing such data in a consistent secure manner company wide is very difficult, especially when that data lives in many places and with 3rd parties. Companies that engage in M&A activity are especially at risk because their personal data is often fragmented across hundreds (or even thousands) of data silos.

Compliance with GDPR is a good start.  If Facebook had automated data governance in place that fully complied with GDPR (including controls for 3rd party access like Cambridge Analytica) , their risk would have been much lower.   If you'd like to know more about data governance automation for GDPR, look here.

Data is the lifeblood of every company.  Knowledge of your customers and the ability to use that knowledge to create better new products and customer experiences is how enterprises survive and thrive in the 21st century. 

But that data must be protected. As we’ve seen from high profile breaches at large organizations like Equifax and the NSA as well as many smaller companies, large, well-funded and organized threat actors are taking advantage of increasingly sophisticated tools and techniques to exponentially grow business risk. 

Globally, governments have taken notice and have introduced new regulations requiring organizations to employ new methods designed to safeguard customer and employee data from not just cyberattacks, but also misuse of the data.

As the threat and regulatory landscapes rapidly evolve, new data protection regulations introduce significant and growing operational risk as well as new business risks.

What is GDPR?

The General Data Protection Regulation is the 2016 data privacy law enacted in the European Union (and likely the UK as well). After a 2-year grace period, enforcement will begin in May 2018, and at that point, up to 4% of global company revenue and unlimited liability is at stake for US companies with European customers.  Here are some of the new or enhanced key requirements that will be most challenging to handle.

GDPR: Risk, Opportunity or Neither?

Regulatory Risk

Many people believe that GDPR applies only if a US organization has a physical presence in Europe, but this is not true.  If an organization has customers or employees in Europe or accept EU resident data, then GDPR applies. But not all risks are created equal. 

The headline is that after May 2018, up to 4% of global company revenue and unlimited liability is at stake for every US company with EU customer or employee data, but actual penalties will depend on many mitigating or aggravating factors.

• Extent to which the company is pursuing a privacy/security by design strategy
• Quantity of personal data
• Potential breach impact (nature of the data)
• Willful or accidental misuse of personal data by collectors and/or processors
• Company brand visibility
• Etc.

Unfortunately, it is difficult to assess this risk up front; a GDPR readiness and risk assessment is required to establish the risk cost equivalence. Additionally, there are other types of risk to consider: Operational, liability, strategic and brand risk are also significant.

Operational Risk

Many organizations lack the controls that make it possible to even know where all their customer data lives, much less understand the impact if that data were to be misused. But finding, classifying and assessing personal data is only the beginning; the real work begins with making business and IT operations compliant. 

Operational risk is exacerbated by the fact that the landscape for compliance and security is rapidly evolving, driven by new threats, new actors, as well as new case law and policy changes. Without automation, GDPR compliance costs can grow over time & overwhelm organizations.

Compliance Automation

• Supports Privacy by Design
• Reduces errors leading to enforcement and/or breaches
• Reduces cost by automating compliance workflows
•  Reduces the threat surface with approaches like pseudonymization & encryption

GDPR’s Strategic Risk & Opportunity

In  addition to Regulatory and Operational risks, there are significant strategic risks to consider

•  Competitiveness:  GDPR requirements make scalability more difficult, which makes it necessary to source additional hard to find talent, limits use of predictive analytics for decisions, inhibits new product development, and makes it more difficult to enter new market segments

• Customer Experience:  Some organizations, instead of evolving, will choose to reduce risk by limiting the use of personal data.  This can happen without leadership even being aware.  Over time, the ability to deliver new, more personalized customer experiences will be drastically limited
• Trust  With so many high-profile breaches, even comparatively minor GDPR enforcement actions could permanently impair a company’s brand and damage its relationship with customers, employees and partners.

Although the operational, regulatory and strategic risks are real, GDPR can also represent an opportunity to create competitive advantage.  By utilizing GDPR as an opportunity to begin automating, you begin to create a more agile enterprise while supporting the costs of compliance with the savings you achieve through automation.

I really had a great time at ATDC's Fintech Hackathon last week.  The energy was amazing and it didn't hurt to come back with a share of the prize money as part of the PupWalkr team - wnners of the $5,000 Worldpay prize. 

Originally posted on the Bridge community blog:  BridgeCommunity.com/blog

It was the fall of 2014 and we were finally ready. Nearly 10 years after getting my MBA in Entrepreneurship from Southern Methodist University in Dallas, we had finally built up enough savings and it was time to leave the corporate world to embark on the new, uncertain path to building a new company. But my home in San Antonio, TX wasn’t the right fit for the new venture – lacking in both a strong personal and startup network – we needed to move.

But where?  Since I’m in the cloud computing space, the Bay area in CA is an obvious first choice, but after looking at how quickly we would burn up our savings, it seemed too risky.  We could go back to Dallas and I could make great use of all the school and business connections there, but the tech startup scene is only just emerging and more importantly, our family was really feeling a need to reconnect with our roots in the South – so we took a look at Atlanta.

At first glance, the main redeeming qualities for Atlanta were the major airport and the relatively reasonable cost of living.  I figured worst case, the flights to San Francisco and Seattle would be reasonable and we’d be within a day’s drive from our families in Alabama and Florida.  But after beginning the process of inserting our family into the fabric of our local community we found that, almost by luck, we had found the ideal place for us to start our tech company.

Soon after moving to Alpharetta, the fastest growing large city in GA and the home of great schools for our 2 sets of twins (as well as a number technology companies large and small), we joined Georgia Tech’s Advanced Technology Development Center (ATDC). Our membership turned out to be a great way to get engaged with Atlanta’s technology community and an amazing source of resources.

I quickly realized that Atlanta had a vibrant technology startup scene with Tech Square, Atlanta Tech Village, the Tech Alpharetta Innovation Center and lots of startups – especially in the Mobile, Fintec, Security, and, increasingly, the IoT space.  And unlike my experience in the Bay area, there’s a strong faith based component to our technology communities with organizations like High Tech Ministries, which was an unexpected but welcome bonus to being part of the Atlanta technology scene. The other thing we have going for us is the large number of innovative large companies in Atlanta, companies like Coca-Cola, SunTrust, The Weather Company, Intercontinental Hotel Group, UPS, Cox Enterprises, Delta, NCR and many others that could serve as early adopters of new technologies.

Atlanta’s strong community of large companies is a clear benefit for B2B startups focused on businesses, but there’s a catch – corporate cultures can be risk averse, slow to move and difficult to navigate, and this is a real challenge for startups. Enter Coca-Cola’s BridgeCommunity. This program, sponsored by 7 Atlanta companies, was created to bridge the gap by partnering startups with Fortune 500s for pilots and the commercialization of new technologies. It wasn’t easy for us to get in – we went through 2 rounds of selection, and out of more than 200 startups, we were one of just 22 selected.  Now, as a BridgeCommunity startup, we are in a great position to build deep corporate relationships and potentially land one of Atlanta’s giants as our customer – a win that would catapult our startup to the next level.    

Atlanta provides a unique place for startups. For us, the combination of faith and family, the vibrant startup scene, and the strong corporate business economy have proven to be an ideal fit. I know that we’re losing large numbers amazingly talented Ga Tech, Ga State, KSU, Emory and other grads to competing tech hubs, but as they mature and want to start families while still participating in world class innovation, they’ll realize that coming home to Atlanta is a great option. Our company is still early, but with the help of our Atlanta community and the BridgeCommunity, Convergent is in great shape to be a huge success.

Some don't realize it yet, but everyone now competes with the digital natives.

While Amazon, Facebook, Google and other “digital native” companies rapidly launch new products and services with a modular, automated, standardized approach (Devops/Agile), traditional companies increasingly struggle to compete because they can’t take advantage of actionable data being held hostage by traditional and SaaS software vendors, legacy systems, and business silos.

Data is the most valuable resource of the 21st century.

Digital natives understand this. As they use data to control more and more of the customer experience, they can extract more margin from companies that produce the products.

Do we really know who our digital competition is? Here are a few examples:

• Hotels/hospitality: Online travel agents (Priceline.com), Airbnb
• Professional Services, Healthcare, Dining: Yelp, Google, Opentable, Healthgrades.com
• Retail: Amazon, Google
• Marketing: Google and Facebook
• Consumer product branding and distribution: Amazon, Google Facebook
• Logistics and Transportation: Fulfilled by Amazon, UBER
• Media: Facebook, Amazon, Netflix, Google

Case Study: Rackspace

When I joined Rackspace in 2011, we were in a tight race with Amazon for leadership in the cloud; I ran the product team that grew the VMware practice to be one of Rackspace's top businesses. But we fell behind. We couldn’t launch new features fast enough to keep pace with Amazon.      

We had neither the time or resources to replace or fix all the legacy systems laden with technical debt. There was lots of infighting between teams with ownership of the various systems. It was excruciating and got worse over time.

Even when we did launch, new services were often anemic, buggy, and late. I saw my enterprise customers struggle with the same challenges – Migrating applications to the cloud was expensive, time consuming and risky. Upon leaving Rackspace, I realized that the problem wasn’t technical debt, but process and architecture.

Rebuilding the Ship at Sea

So how do traditional companies create new customer experiences to compete with digital natives? The solution is to liberate data with integration that applies a lean, agile, and devops driven methodology to a highly automated, reconfigurable, and open architecture.

To be successful, the technology and process driven approach must avoid re-platforming most legacy apps, future proof the enterprise by providing companies ongoing control over their data, provide for automated release of changes as small as a single data field, and minimize risk by providing the capability to easily prototype use cases.

This approach sets the ground work for the digital enterprise that automates, rapidly reconfigures and scales new use cases for rich data, analytics, IoT and AI.

This is no small task; it requires a strategic view of data and a new unified approach that covers not just what we think of as traditional data, but also integrates and automates across all infrastructure, software, workflows and policies, both on and off the cloud.

Because point solutions make integrating data and scaling use cases harder not easier, a unified, standardized approach to data management across all types of data is a must to support reconfigurability, automation and technical debt avoidance.

The ability to reconfigure data and applications on the fly is required to support new business models and changing competitive situations. An architecture with open source in the data integration layer is required to support this. Proprietary systems, by their very nature, hold data hostage to maximize profits, and prevent companies from having the flexibility needed to adjust to the market.

And finally, the architecture must be purpose designed from the ground up to support enterprise grade features like security, audit and compliance.  We can compete with the digital natives and win, but we need the right data strategy, and the right platform to execute that strategy.

We've created the The PrivOps Matrix to help you get started with this approach by piloting digital integration use cases. You can deploy the integration fabric to the cloud in a few hours and prototype new integration use cases in 1 to 2 months. It’s completely automated, self-deploying to the cloud, and the architecture is designed from the ground up to scale-up across multiple clouds and datacenters employing both Agile and Devops methodologies. It’s also built on open source software meaning you own your data without having to worry about predatory software vendors

Your projects requiring integration would benefit enormously from this new approach, so let’s pilot ways to be more agile like the Amazons and Googles of the world. 

-Tyler

Set your data free, set your company free

Great news to share! We’ve been selected as one of the 22 startups in the BridgeCommunity’s 2017 program cohort. To say we’re thrilled would be an extreme understatement. This program connects us to Fortune500’s looking to partner and pilot with startups to solve their most pressing issues. The amazing line-up of enterprises we get the opportunity to connect with over the next 6 months includes: Capgemini, Coca-Cola, COX Enterprises, InterContinental Hotels Group, Porsche Financial Services, SunTrust Bank, The Atlanta Hawks/Philips Arena, and The Weather Company.

The BridgeCommunity’s sole objective is to help startups find the right customer inside the walls of large corporations. Based on the results from their first cohort last year (10 participating startups with 9 proof-of-concepts and pilots created), we’re in an excellent position to make strong corporate connections and land one or more deals within the program.

If you’re interested in technology innovation or our mission to empower people through data, check us out! Click here for more

Not too long ago, I came across one of Brené Brown's masterful TED talks where she referenced Theodore Roosevelt's famous "Man in the Arena" quote: (re-posting here since it's great prose)

"It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat."

In the last few years, you may have noticed there's a growing trend for top technologists publishing books related to their craft as a way to achieve thought leadership in their respective fields. Makes sense:

Many are the challenges of being heard in an increasingly noisy, Internet driven marketplace of ideas.

There's nothing wrong with writing books of course (I read them avidly as it turns out), but there's a fundamental disconnect between "thought leadership" and innovation. As Brené Brown puts it:

"Vulnerability is the birthplace of innovation, creativity and change."

While putting Roosevelt and the queen of vulnerability together might seem antithetical, they do make the same point:

Innovation (or any change for that matter) requires risk.

Thought leadership as it turns out is about building your personal brand and establishing your credentials. You need other thought leaders to broadly share your insights and to present yourself as an expert. Controversial ideas, authenticity, and vulnerability can and often do get in the way of establishing your brand. As it turns out:

Risk (and innovation) is antithetical in many ways to the current model of thought leadership.

What do you do? There is no right answer, but for me the answer was stop worrying about appearances, enter the arena, and that means becoming vulnerable. I have given up the safety of a securing a middle class lifestyle by leaving a lucrative job and re-learning how to code in order to build an unproven software platform that no one may ultimately pay for until proven otherwise. At the same time, I get to watch our family's savings dwindle along with the prospect of a comfortable retirement.

Jesus also has something to say on this topic:

Matthew 6:25 "Therefore, I say to you, don’t worry about your life, what you’ll eat or what you’ll drink, or about your body, what you’ll wear. Isn’t life more than food and the body more than clothes?" 

I thought about this quite a bit earlier this year as we laid my mother to rest. At the end of my days, will it matter to me how much money I made or how comfortably I lived? No, what will matter is the impact on those around me, and how I tried to improve the world, be it successful or not. So for me, the question of should I focus on writing (note this is my first post in months) or coding is clear:

I choose to code.

I have faith that if I work hard enough for long enough, it will be enough. It's a work in progress though. It was hard when I quit coding last night at 2AM after finally solving a bug more experienced coders might have found much sooner in software nobody's decided to pay for (yet). Doubt creeps in...

At any point in time, you might look at your results and say "that's not world class" or "that's not good enough", but I'm going to keep going anyway, keep improving, keep trying: And let God be the judge of if it's good enough.

I know He'll forgive me if it's not... (although my broke family may not :-)

Matthew 6:21 "Where your treasure is, there your heart will be also."

If you’re interested in technology innovation, check us out! Click here for more

-Tyler