GDPR and Master Data Management - Q&A with CMO Michael Hiskey

This initially appeared as a podcast on One World Identity*

gdpr-and-mdm-blog-image.jpegHost Cameron D’Ambrosi of One World Identity joins Semarchy CMO Michael Hiskey to discuss master data management, 2018’s looming European GDPR implementation deadline, and why enterprises should view new data privacy regulations as an opportunity.

Who Will Be the GDPR’s Martha Stewart?

In November of 2017, Michael Hiskey, CMO at Semarchy, joined State of Identity’s Cameron D’Ambrosi to discuss Master Data Management (MDM), 2018’s looming European GDPR implementation deadline, and why enterprises should view new data privacy regulations as an opportunity. Along the way, they contemplate the true value of Internet of Things, a future with Millennials in charge, and who will be the GDPR’s first Martha Stewart. The transcript of their interview, which was originally published as a podcast, is below. It has been lightly edited for clarity.

Michael will be a speaker at the upcoming KNOW Identity Conference in March.

Defining MDM

CAMERON D'AMBROSI: Michael, what exactly is master data management is, and how is Semarchy involved in bringing that to market?

MICHAEL HISKEY: Data management comes in various forms. Master data management is sort of a special case database where you need to master, physically, data that could sit in various other systems and be controlled by one system. It's tightly related to concepts like data governance, as well as data quality and data enrichment. So when you hear those terms, master data, data governance, data quality, data enrichment, and even things like meta data management, we're really talking all about the same thing, which is mastering components of data that's other than, rows, columns, and database stuff.

CAMERON D'AMBROSI: And how long has Semarchy been in the master data management industry?

MICHAEL HISKEY: Semarchy, founded in 2011 in France, has always been fully dedicated to master data management and data governance, and it came into being kind of after all of the consolidation happened in this space where large software companies bought up a bunch of niche players and tried to start stitching together bigger solutions.

Why GDPR is an MDM Problem

CAMERON D'AMBROSI: It's funny that you mention Semarchy having its roots in France. One of the major initiatives that is really reshaping how companies are thinking about interacting with their data is GDPR, or the General Data Protection Regulation. Would you mind giving a quick primer as to GDPR and what some of the pending 2018 deadlines are?

MICHAEL HISKEY: GDPR is part of what's been implemented by the European Parliament and the Council of the European Union, as well as the European Commission. It actually replaces an existing directive that's called the Global Data Protection Directive. It goes into effect, as of now, on the 25th of May, so it’s coming up rather quickly. The reason it gets so much press is because of the fines. For a first offense, the European Commission could levy a fine that's equal to 10 million euros or 4% of your company's global turnover, which is pretty astounding. When GDPR takes effect, besides replacing existing regulations, it'll also be the most far-reaching privacy and data protection regulation ever proposed.

A lot of talk about GDPR rests on one little section that's in Chapter 3, Article 17, of the directive called the Right to Erasure, more commonly referred to as the “right to be forgotten.” What that says is that, on demand, you could ask any organization that has your data to present it to you in all of its various forms, and you could ask them to forget about you: “I want you to delete all the information you have about me in your systems.” As we've eluded to, your inability to do that could come with a huge fine.

CAMERON D'AMBROSI: Just to extrapolate that down to a more granular level, essentially why master data management is gonna be important moving forward is if a consumer comes to you and says, “I wish to evoke my right to be forgotten,” you need to make sure that you are able to quickly and accurately comb through all of your records and pull all of the data associated with that individual and make sure that you can provide it and then delete it if need be. Now if you're not able to do that because you either can't or are too slow at being able to identify which records are theirs, you're opening yourself up for a world of liability.

MICHAEL HISKEY: You are. And you know, to be truthful, there is some discussion on how they are really going to be able to enforce that. Because it's unlikely that they'd be able to put that much effort behind all of that prosecution. So I like to think that they're likely to come up with the Martha Stewart-type prosecution. What I’m referring to are the charges that Martha Stewart got years ago on insider trading. They can't possibly prosecute every person that's likely guilty of insider trading, so what they'll do is look for really high-profile cases where they could enforce the whole brunt of these regulations and potentially get a lot of press coverage in the meantime, which would then force all the other companies to say, “Wow, they're really not kidding about this. We better do that.”

Now—as you mentioned—my company is a master data management and data governance company, so why is that important to GDPR? Really, the principle requirements for GDPR compliance are all concepts that are kind of well worn in the master data management and data governance space. You have to be able to inform people of the data you have. You have to be able to rectify if that data is wrong or if it needs to be changed. You have to be able to explain to a customer or to any consumer how their data is processed, both where you've got it and where you've put it. And again, as we've talked about, the customer could erase it, they could object to it, and they could as for direct access to it.

The last part is a little more difficult. It's about profiling, and there's a section in the GDPR regulation that preserves the right that you can't offer things to people based on components of their data profile that might be considered private or privileged information.

Why US Companies Need to Think About GDPR

CAMERON D'AMBROSI: Correct me if I'm wrong. Although GDPR is only going to be law within the European Union, if you wish to do business as a company with any citizens residing in the EU, or interact with any of their data, this law is going to apply to you fully.

MICHAEL HISKEY: Not only that, any citizen, any employee, any shred of data that in any way touches the EU, even if it's just stored there in the broadest interpretation, could make you subject to GDPR. So American companies are kind of turning a blind eye to this right now when, in fact, it could be quite important to them as well. Moreover, as I wrote in my article “GDPR Crosses the Pond,” it's likely that because GDPR is a sensible regulation in many people's eyes, it could get extended the way the SOX 404 regulation has extended to Europe, the way some of the Boswell 2 requirements have extended to the US. It could become more of a global standard whereby organizations would voluntarily comply with the standards within GDPR so they're not forced to do it and subject to those fines and problems after.

CAMERON D'AMBROSI: From your perspective, are you seeing that that is the tact that certain US entities are taking? We have written that we do expect, if not formal adoption, that GDPR essentially becomes the de facto global standard.

MICHAEL HISKEY: You know, it's funny. I'm seeing a fair mix of those two. I think most companies, truthfully, are kind of turning a blind eye to it. I have spoken with a number of Fortune 500 companies. I have met only two of them that have a GDPR-focused office or executive in the US worried about those compliance regulations. Moreover, in order to comply with GDPR fully, you need to be able to do all these things we've talked about: stay informed, learn how to do due process or raise your portability access. These things are all quite well understood in the field of master data management, and at the same time if you're able to effectively master all the data you have on all of the parties you do business with—meaning costumers, partners, as well as your employees—then you're able to better able serve those audiences as well.

All of the components that we know about, customer satisfaction and being able to better up-sell and cross-sell existing customers, revolve around you having a very good profile and a very strong understanding of who your customers are and the data about them—where they live, what they do, how they interact with your products. So in some ways, good GDPR is just good for business.

Internet of Things and Identity

CAMERON D'AMBROSI: Michael, you've written previously about the intersection between these new GDPR regulations and the internet of things. What can you tell us about how GDPR is really going to apply to all of this new data that IoT devices worldwide are starting to collect?

MICHAEL HISKEY: IoT is really about identity and about mastering the data. Here's what I mean. If I have sensors and actuators and things in buildings that take temperature controls and so forth, that's great, and that information's been feeding into IoT and making buildings more green and making us, as an economy and as a society, more energy efficient. But as that crosses over . . . let’s say you're wearing a FitBit and have a fully internet-connected car that talks to the car manufacturer about how that device is operating. Larger vehicles, like a tractor-trailer, might have a digital twin operating in a lab, and everything that happens to the real vehicle happens to that digital twin. All of these things really revolve around a master of that data—and identity. I have to be able to boil your identity out of that information, and make sure I'm not taking anything private to you, but use the rest of the data to feed back into our larger ecosystem to make it more efficient, to make that device more efficient, maybe even to make you more efficient in a way that I need to disconnect and then reconnect identity to that data.

CAMERON D'AMBROSI: I guess what you're saying is as we move into the future, IoT and identity are going to become more and more inexorably linked, and at the enterprise level master data management is really gonna be the only way that companies are going to leverage this IoT data in any meaningful way to serve both their consumers and this new regulatory mandate.

MICHAEL HISKEY: That's exactly the point. Without the concepts of mastering data from the IoT and being able to have pluggable identity, IoT data will have failed to meet the requirement for its benefit.

Why MDM is the Nexus of Security, Privacy, and Identity

CAMERON D'AMBROSI: We've talked a little bit about some of the benefits independent of regulatory compliance from the business side. From the security side, can you talk a little bit about why master data management is a “best practice.” What are some of the security advantages from implementing master data management at the enterprise level?

MICHAEL HISKEY: Data governance is a tightly related concept to master data management, and data governance is really about the policies, definitions, procedures, and enforcement that relates to your data. Now increasingly, in order for that data to be useful, I'm gonna have to be able to push it down to users at the end point—maybe someone like a bank teller that's standing in front of you at the bank branch, Cameron—but at the same time make sure I restrict access to preserve your privacy. Master data management has become expert at field-level security so that each piece of data or each field, if you were to think about it in a database concept, has a level of security related to it. So maybe, as a business user, I have an understanding of the generic, and I can understand how people like you in a cohort interact and your credit information and location data, etcetera.

That needs to change if you come into the bank branch, because you need not generic data but data that relates exactly to you. This presents a huge security problem because I can't just let all of the data be freeform and easily accessed. I have to control data on a user-based or persona-based, on the role of the person in the organization so that they have the right access to the information, but not too much access.

CAMERON D'AMBROSI: So what you're saying is essentially, Semarchy allows that to Goldilocks-level, if you will. You can really tailor access to the specific use case required for that moment while protecting the privacy of your consumer, meeting your regulatory requirements, and also obviously making the head of that business unit happy that you have not hamstrung his analysts or customer service reps by restricting the access to the important data that they need to do their job.

MICHAEL HISKEY: Absolutely. Not only this, but also controlling the access that people like database administrators have, so maybe they can get access to only anonymize data, as well as access to business users that might only get a tokenized, short-time temporary access. Maybe someone would have access to your profile, Cameron, when you're opening a new account, but once that process is closed they lose access to that personally identifiable information.

How to Meet GDPR Compliance in 10 Weeks

CAMERON D'AMBROSI: So, Michael, if I'm a company with no current data management practices in place, I'm coming to Semarchy to look for becoming compliant with GDPR, what are the timeframes involved in setting something like this up? Is that a completely un-addressable question with too many question marks, or can you provide a general guidance as to what kind of time frames we're looking at for fundamentally changing an organization's data management structures?

MICHAEL HISKEY: Well, some people would say GDPR is opening a can of worms, and it's a large, unwieldy problem. That being said, we've had clients that we could put together a solution in as little as 10 weeks. It really just takes understanding where your customer data resides, what data points you need to get out of it, and what the requirements are for access and profiling. Once we really understand those things, we're able to process that information quickly. The key isn't so much the database-y stuff. It's generating an application that could be accessed by the right individuals so that they could interact in a meaningful way with the data. It's not as hard as you think it is, although it's not an easy problem to solve. You should get up and running sooner rather than later.

CAMERON D'AMBROSI: And it really does sound like the dividends kind of pay for themselves, if you will. You know, you could implement this looking to achieve compliance, but really see gains on the backend from efficiency and customer satisfaction that end up being worth that squeeze, even if GDPR weren't coming down the pike.

MICHAEL HISKEY: People would be well advised to view GDPR as an opportunity to better serve their customers and constituencies overall.

CAMERON D'AMBROSI: As a former regulator, I think that is a very positive attitude to have.

MICHAEL HISKEY: Coincidentally, I saw that there's hundreds of open job specifications in Europe right now for GDPR regulations, so it's high times if you wanna be another regulator in Europe.

The Future of Data Management is Millennials Taking Charge

CAMERON D'AMBROSI: One of my favorite things I like to do on the podcast is to ask my guests to reach into their desk and pull out their trusty crystal ball and make some prognostications for the future of the identity industry and technology at large. Michael, looking into the crystal ball that I know you keep inside your desk drawer, what are you seeing for 2018 and beyond in terms of the data management space and identity in general?

MICHAEL HISKEY: Well, mine's more of a Magic 8-Ball, but that's sort of a product of how I grew up. I think the future is unclear in the short-term, in terms of how the various bits of technology will come together. There's too much technical focus on what different pieces of software and technology do. But I think in the slightly longer term, 12 to 18 months, there's more of a convergence of the various parts of data management coming together to serve mostly users that have a high contextual understanding of the business and want to put their hands on data.

The reason for that is the increasing role of millennials in managerial positions. I know this is sort of a well-worn topic, and you talk about it a lot in the identity space. But it’s certainly coming to fruition in the data space that more of the people who are customer-facing or sitting in units of the business want to have primary access to the data because they understand it. And they also know intuitively that every bit of data is tracked and log and exists somewhere, and they should be able to do something meaningful with it.

When and Why Consumers Share Their Data

CAMERON D'AMBROSI: It's been interesting to see some of the prognostications for the impact of GDPR on business globally. I think there's kind of two camps. There's the folks who think that by giving consumers the ability to opt out, consumers are really going to react poorly to any overtures to collect and store their data. And I think there's another camp, which I would consider myself to be a part of, which is that this is really going to cause companies to reconsider their data collection practices and really take a hard look at: what do we need to do our business efficiently, what do we need to deliver value to our customers, and what don't we need? And I think you're gonna see some of that superfluous, extraneous data collection falling by the wayside. Because when you are forced to go to your customers to get explicit consent, you're gonna really narrow that ask down to just what you need to do your job.

And I think when you can demonstrate to consumers: “I am requesting access to these data fields, here is why I want access to it, here is how I'm going to use it, and here is the value I'm going to deliver to you in exchange”—by and large I think consumers have proven that they will be receptive if you show them the dignity and respect of coming clean and telling them exactly what you are and are not going to do with their data.

MICHAEL HISKEY: Absolutely. Certainly the data I have seen bears out the idea that people are not unwilling to share their data if they know that you're using it in a meaningful fashion to serve them better. And that dynamic becomes more true as you talk to younger consumers. There's a certain age where consumers just don't wanna share any information. But as you start to trend younger—they're willing to give up information if they know that they're getting some value in return for it. And that's an important concept. It's tightly related to GDPR, and organizations that are thinking about both how to comply with GDPR should think about it as that opportunity to get a better customer intimacy program in place at the same time.

The Chief Data Officer Will Rise

CAMERON D'AMBROSI: Michael, we're almost out of time but one last question before you go. From an organizational perspective, who are you receiving the most questions and feedback from about GDPR and GDPR compliance? Does this fall to the level of a CEO, or is there someone else who you found the most success interfacing with to tackle these data problems?

MICHAEL HISKEY: You know, increasingly, we're hearing a lot about the CDO, the Chief Data Officer, or in some cases the chief data and analytics officer, and they're really owning more of this strategy. So that's a new C-level role that you're hearing more about every year. Two years ago you didn’t see many. Last year you saw more. Now we see kind of a good number of them, and it generally falls into their bailiwick. More and more there's starting to be conferences, white papers, and studies that really target the understanding of treating data as an asset, and the Chief Data Officer seems to be the person that the board looks to for who should know where the company is with regard to its data.

CAMERON D'AMBROSI: Well, Michael, thank you so much for making the time. Really appreciate it. I know I learned a lot, and hopefully our listeners did as well. If folks wanted to learn some more about Semarchy or the concept of master data management in general, what are some resources that you could point them to?

MICHAEL HISKEY: Sure, Cameron. I would encourage them to go to where we have a bunch of educational material there on GDPR, on the chief data officer, and on the rise of data-driven cultures and how that impacts the economy.

CAMERON D'AMBROSI: Fantastic. Well, thank you again, and looking forward to speaking again soon.

MICHAEL HISKEY: Thank you so much.