GDPR is only a few months away. How is your organisation preparing?
Egnyte is a major player in providing enterprise file services, with its platform allowing businesses to share files on-premises and in the cloud efficiently.
Secure and smart file-sharing is only going to become more important once GDPR rolls around, so Siliconrepublic.com spoke to co-founder and data protection officer (DPO) at Egnyte, Kris Lahiri, about avoiding scaremongering and examining what your company does with its data in a simple way.
Based in Mountain View, California, Egnyte is used by major firms such as BuzzFeed and Yamaha, and backed by Google Ventures and Kleiner Perkins Caulfield & Byers.
Lahiri said that since Egnyte was founded in 2007, secure collaboration and content-sharing have been its key aims.
He noted a recent trend that caused the company to launch Egnyte Protect, a product that overlays all of the data held in Egnyte. “Over the last two to three years, as more of our customers have been putting more of their data in Egnyte, we realised that they wanted a lot more content protection and governance-type features and, every time they would try to do it through a different platform or service, it felt very cumbersome to the use case.”
Easing the compliance headache
So, how does Egnyte Protect work? It uses technology such as pattern matching, proximity matching and other machine-learning elements to detect anomalies, sorting and flagging data for relevant organisational departments.
When it came to the announcement of GDPR, Egnyte already had a wealth of experience in secure content-sharing under its belt, and decided to adapt Egnyte Protect to help ease the compliance headache for organisations. “We morphed a bit of Egnyte Protect’s classification and all of that, to look at all the things that are flagged as personal data from a GDPR standpoint, and then went down through the explicit articles.”
He explained that the main task in building the compliance tool was the quantity of varying languages the product would need to deal with. “What we [in the US] call a social security number in Polish could be called something completely different in the Polish language, so that was the main challenge.”
He continued: “What we found was that a lot of people who are interested in making sure they are compliant with GDPR want to know what type of personal information could be around in their repositories.
“Most of the the time, they are a little paralysed – ‘I don’t know what to do, I don’t know what stuff I have, I don’t know where my stuff is.’
Lahiri and the team had one major keystone for their ethos: “The deadlines are pretty clear, the fines are pretty clear, so let’s find out a way that we can help these guys to make some meaningful steps.”
Don’t be negative about GDPR
Lahiri said the negative ‘bogeyman’ strategy simply doesn’t work. “We felt we were doing it differently, as it’s always a doom-and-gloom situation, and that’s just not the right way to help customers.”
He explained that although EU residents are “a bit more well versed with GDPR”, US organisations have now “hit the ground running” as the clock ticks towards 25 May. He added that the contingent of US customers who are not at all aware of the impending regulations is “rapidly reducing as, nowadays, even in the US, everybody’s inbox is filled with webinar links and emails about GDPR”.
Lahiri noted that some organisations needed to be educated on the fact that even simply taking a name and an email address from an EU resident or data subject makes them liable under GDPR. He expects a major uptick in US organisations pursuing a thorough compliance strategy in the first quarter of 2018.
People are key
As for general recommendations, Lahiri’s first and last steps towards compliance are the same: people. Whether it’s assigning a DPO or offering data protection training to staff, education is crucial.
Lahiri added that the data protection team should be cross-functional, with diverse and varied skillsets.
He concluded by explaining that organisations will have to re-evaluate how they collect and use data. “GDPR expects you to use a lot of data minimally. People have happily taken as much information as they could whether they needed it or not.
“GDPR has challenged this –just take what data you need for your processing, not everything under the sun.”