June 14, 2018 | Webinar

Opportunities and Challenges in GDPR and Cybersecurity

Rohit Kulkarni 00:04

Okay. We are going to go ahead and get started. Good morning, everyone on the West Coast and good afternoon to anyone who’s joining us from the East Coast. On behalf of everyone here at SharesPost, I would like to welcome you to today’s webinar. I am Rohit Kulkarni. I am the Managing Director of the Private Research Group here at SharesPost. Among other things, I oversee our website content, data, analytics and the research group. I’m very excited to have with us, Sheila Fitzpatrick. I came across Sheila’s profile and her videos from all the talks that she has done across many, many conferences while we were doing research here on the impact of GDPR on the private markets and startups, and also the broader debate around the data privacy and data security, and many intertwined things. As in the media feels that the size and scale of GDPR regulation is comparable to Y2K. I know, a lot of people probably who were in kindergarten at the turn of the century and don’t know much about Y2K, but just to give a little bit of a kind of context, industry experts believe that Y2K led to 5% increase in IT spend in big banks in 1998, ’99. So comparing that to GDPR is also something more massive. So again, super happy to have Sheila online. And as in also, the other broader topic is cyber security. As in Warren Buffet has been talking a whole lot about over the last couple of annual meetings that he hosts. He has compared, “Cyber attacks are a greater threat to humanity than nuclear weapons.” That’s his quote. So I guess we’ll be learning more about how to bring about world peace from Sheila as well.

Rohit 02:00

But again, anyway, jokes apart, in all seriousness, I’m very lucky to have her on this webinar. Her experience, her resume, and all her accolades are very, very impressive. She runs a global strategic, kind of global data privacy and compliance consulting firm. She has over 35 years of global data privacy, data protection and compliance experience. I think she’s one of the world’s leading experts in data privacy laws. She has worked with the UN government, a lot of law enforcement agencies, and so on and so forth. She has graciously put together a presentation that she will walk through. But before we jump into webinar, anybody who’s joining us for the first time, our mission here at SharesPost is as follows, to provide insight and access to the private [inaudible] asset class. We believe there is a bigger asset category that’s been brewing over the last six years with $1 trillion in market cap globally, and that’s where we stand. We offer a whole bunch of products and services including direct [inaudible] manager on SharesPost 100 Fund and offer lendings as well. These are just a few issuers that we have transacted in and the list keeps on growing. Sharespost research, as a group, we launched about 18 months back and we have been hard at work hoping to educate investors and all the equal system participants about teams, about investable opportunities in the private [inaudible]. All of these reports are accessible to people who are customers of SharesPost through their online accounts. We are always looking for webinar kind of speakers like Sheila. We have conducted a lot of webinars in the last year or so and also try to stay on top of ongoing market movements that affect all the things in private asset category. Our IPOs have been kind of a flavor of the year in innovate. We just today [inaudible] as an IPO, is up more than 60%. It’s a $15 billion plus company today. Green Sky IPO happened a couple of weeks back. Probably the largest IPO globally since Alibaba might happen later this year [inaudible].

Rohit 04:37

Moving onto cyber security, we have been doing research on this and hope to publish at some point over the next few day, weeks, CDs of reports and just to give a little bit of context, this chart probably shows on an exponential scale, the scale of hacking activity and data breaches. Yahoo was one of the ones and there are many, many more. This is an exponential chart so every bubble is 100 times bigger than the next one. So again, over the last couple of years we have clearly seen an accelerated impact of data breaches and a lot of it banks. So the spend buckets have started to increase as well. But again, there is always catch-up between our problems and solutions as [inaudible] see in tech industry. And I’ll stop right there. I know there is a lot [inaudible] work and Sheila, the mic’s all your’s. And we have some Q&A during and after, and as time permits, we will jump into those as well. For people on the webinar, you can feel free to type questions as you go and we’ll try to answer them as we get them. So onto the main topic Sheila. Control’s yours.

Sheila FitzPatrick 06:08

Okay. Great. But thank you very much [inaudible] and thank you all of you for joining today. Really appreciate the opportunity to speak about my passion which is obviously data privacy laws. I’m going to talk a little bit about GDPR and beyond. I know that many of us are probably tired of hearing about GDPR. It was definitely at the forefront of every webinar’s or conference seminar we attended in the last two years. But I look at it a little bit differently than most people. I think of GDPR as an evolution as opposed to a revolution. And that’s mainly because GDPR and data privacy laws around the world are really having an impact as our business and our business models change. We’re seeing more of a move towards globalization. That certainly has been happening for numerous years but the push now, because of new technology is even greater. We’re seeing an intense media and social media focus around the sheer number of data privacy violations and security breaches that had occurred. Particularly last year in 2017, there was a 64% increase in the number of security violations and privacy violations around the world. And that’s a pretty substantial growth. And it’s important to understand that oftentimes we focus on cyber attacks, we focus on unauthorized access into your environment; a hacking that occurs. But many times, those security breaches end up being massive privacy violations. And by that, I mean unauthorized access into your environment can actually expose personal data that you are collecting and processing, that you are not legally allowed to have. So what starts out as a security problem, which is certainly an issue, can turn into an even greater problem which is then a privacy violation where the data protection authorities will get involved and pretty substantial sanctions would be levied. They’re certainly at more of a heightened concern over the collection and use of data, what’s being collected about an individual, who’s collecting it?

Sheila 08:20

And first and foremost, new technology is really driving the need for stronger privacy rights. Whether that’s Cloud or Internet of Things or artificial intelligence, and I’ll talk a little bit about that in a minute, as well as data subjects are starting to demand more control of their own data. So this is really an involving process. And as I said, it’s an evolution, not a revolution. As you all know, GDPR went into effect on the 25th of May, just a few weeks ago. The world did not end. We are all still surviving, we’re still managing, we’re still working. And it’s important to understand that no organization will ever be 100% compliant with GDPR or any data privacy laws for that matter. This is a risk-based approach to the collection and processing of personal data. It is going to continually evolve, as your business evolves, as the type of data you use evolves. And so assuming that you have to be 100% compliant is a little bit misleading. You need to be realistic about your approach to the collection and processing of personal data. Recognize that many of your business models are going to have to change, your processes are going to have to change, your compliance platform is going to have to evolve. So you need to, as your data changes and your business models change, you as an organization need to evolve with it. And to be proactive and not reactive. You want to look at what your privacy program currently looks like, and build on that, and methodically build towards what you consider to be that model of excellence. Don’t buy into marketing hype. We’ve all seen everyone and their mother jump on the bandwagon and claim to be GDPR experts, and you have to be very careful not to buy into some of the misleading information that’s out there. And as I like to tell my customers, “Breathe, stay calm, and just evolve your privacy framework.”

Sheila 10:16

So some of the GDPR highlights, I won’t go into in great detail because I have said, you probably have heard this ad nauseam, but it’s important to understand that GDPR is first and foremost, a compliance-risk issue. It is not an IT issue. It is not an technology issue at the start. Technology is going to be very important to allow you to maintain ongoing compliance, but it is not going to help you obtain compliance. It impacts any organization anywhere in the world if you have access to the personal data of an EU resident. Whether you provide goods and services, whether you monitor the behavior, whether you have a website that an EU resident would go to and have to enter any personal data, whether you conduct transactions with EU resident data, you will have to comply with GDPR. Probably the most important thing to consider is transparency. You have to be extremely up-front and open about what data you’re collecting, why you’re collecting it, what you’re doing with that data, what your lawful basis for having that data is, where that data’s being processed, whether or not it’s moving outside of the country of origination, and moving isn’t exactly a physical movement, it can be access to that data from from outside of the country of origination. It also has concepts around data minimization; only collecting the minimal amount of data you need in order to manage whatever relationship you’re trying to manage or provide whatever service you’re trying to provide. And you need to make sure that any time that you’re implementing a new system, a new process, a new policy, a new procedure, that you think about privacy up-front and embed that in your design and planning process. We always think about security up-front, but companies rarely ever think about privacy.

Sheila 12:08

Another key highlight is that GDPR actually expands the definition of personal data. So personal data is defined as any piece of information that is identifiable to an individual or can identify an individual, either directly or indirectly. Under GDPR, that expands to include IP address, location data, genetic information, biometric information, and unique identifiers. So if you use any of those categories of data and you say, “Well, that’s not personal data.” If you can go through a process to tie that data back to a specific person or add different data elements to it that can in fact directly or indirectly identify someone, that is definitely personal data. In some cases, GDPR does require explicit freely given consent, not in every case, but in some cases. There is now a 72 hour data breach notification obligation. And this means within 72 hours of suspecting you have had a privacy violation or a data breach, you must report it to the appropriate data protection authority or supervisory authority. You do not have to notify the impacted party until you have determined whether or not the data that has been exposed could result in substantial harm to the individual.

Sheila 13:34

As I mentioned earlier, transparency is extremely important. Your documentation must be clear and explicit. Your terms and conditions must be easily understandable so that when individuals tick the box giving you consent to use their data, they know exactly what they’re agreeing to. If you have terms and conditions that are too hard to understand or they’re too long and convoluted, or written in legalese, even if someone gives you their consent, that is not a valid consent and it will be basically invalidated by the data protection authorities. You need to conduct privacy impact assessments to determine what the impact on personal data is going to be if you embark on a new technology, a new program, a new policy, or a new procedure. In some case you might have to appoint a data protection officer, that’s either an internal or external person responsible for your privacy program, and who would be the liaison between the data protection authorities around the world and your own internal operations. Many organizations are concerned about the right to be forgotten and right to erasure which is a new requirement under GDPR, and this means if you do not need the data for a legal requirement or a contractual obligation, you must delete that data if the individual requests that data be deleted. Now, the data protection authorities understand that you may have 20 or 30 years worth of backup tape somewhere and you will have no idea whether or not those tapes contain personal data. You are required to do everything humanly and technically possible to destroy that data but it is completely understandable that in some cases, you may not be able to. So I know a lot of people are getting very worked up over the inability to destroy data. You can’t use that as a default and just say, “No. We can’t destroy it.” But if there is a absolute valid reason for not being able to do so, then you are going to be fine. And then obviously, there’s greater sanctions under GDPR that can result in a fine of up to 4% of your annual of your annual global turnover. And that’s going to be for blatant non-compliance, not for an issue that occurred that you couldn’t really handle. So some of the myths--

Rohit 15:57

Hey, Sheila. Sorry to interrupt. A quick clarification question I see here on the screen is on the 72 hour data breach. As in from last year, we learned companies like Uber, or even Yahoo, or Equifax, they themselves weren’t aware of the data breaches for several months in some cases. So that 72 hour data breach notification obligation, is that from the time the company learns about a hack, or is that from the date of the hack--?

Sheila 16:25

That’s from the time that an organization strongly suspects that there has been a hack or from the time that they actually identify that there’s been a hack. But whats’ happened in some of these cases is companies have suspected there’s been a hack, but they haven’t done anything about it for several months and therefore didn’t report it. So you have to be very careful if you strongly suspect, but you don’t know for a fact that you’ve been hacked, you still have to report it.

Rohit 16:54

Okay. Thanks, Sheila. Please proceed.

Sheila 16:57

So some of the myths that I’ve heard, some of them make me laugh, others make me cringe, is that I hear that the EU data protection authorities are going to relax the requirements. That’s absolutely a false statement. They are not going to relax the requirements. Some people believe that the grace period actually started this past May 25th. Actually, the grace period ended May 25th and it went into full force. Some people believe GDPR only applies in the EU. As I mentioned earlier, this is the first extraterritorial law. It applies all over the world. There is no company that’s ever going to be 100% compliant, and I hear a lot of vendors and suppliers and big consulting firms saying you have to be 100% compliant and we’ll make you 100% compliant. That is a myth. No company will ever be 100% compliant. Some people believe it can’t be enforced outside the EU. It definitely can be. The data protection authorities have the right to file a complaint with the local courts here in the US and under the US Redress Act. Any EU resident has the right to file a complaint in the courts here in the US. And the EU data protection authorities can also prohibit you from marketing or have a website or presence in the EU. So there are various ways in which they can enforce the sanctions. Many organizations believe that security is privacy, and they believe that if they encrypt data or they host data in a certain geographical area, that they’re good, and that’s definitely not the case, and I’ll explain that in a minute. There is a belief that only structured data is covered under GDPR. But both structured and unstructured data is covered because some of the most highly sensitive data you have may be in your unstructured data. Only the system or record has to be addressed. Another falsehood. It’s every location and instance of that data is covered under GDPR. Our current privacy framework doesn’t matter. Your current privacy framework should be the basis by which you look at where your gaps are and build on that. Obviously, if you don’t have privacy framework in place, well then you need to start from the beginning. And tools and technology alone are not going to solve GDPR, as I’ve mentioned earlier.

Sheila 19:17

So moving on, what do I mean when I say tools and technology alone do not solve GDPR? There’s 99 articles in the GDPR, only 8 specifically invlolve tools and technology and that’s things like data mapping, data classification, data flow, data lineage, security, right to be forgotten, those type of things. But in order to really be compliant with GDPR and, again, any data protection law for that matter, you have to start with the foundational work. It’s like building a house. You would never build a house by starting with the roof or the attic. If you don’t have a foundation in place, the second floor is not going to help you. So going out and acquiring tools and technology to solve a compliance issue is not going to help you initially. You need to look at what is your basis for processing that data, and that’s the first thing you need to start with. Do you rely on consent from the individual? Do you collect that that is not appropriate in the context of an employment relationship? Do you have a contractual obligation to collect that data? Do you have a legal obligation that mandates that you must have that data? Is it in the vital interest of the data subject, a life or death situation, that defines the fact that you need that data? Is it for national security, terrorism, national disaster that you have to have that data? Does your organization have a legitimate interest that does not infringe on the rights of the data subject? So do you have a legitimate business need to collect that data? And once you’ve decided what really is your basis for processing and you had defined it and clearly written it in a well-defined policy, then you need to look at how you’re collecting the data, who are you getting it from, how transparent are you, what do your policies look like, what do your third party contractual obligations look like, who are you sharing that data with? And all these things that I’m talking about have absolutely nothing to do with technology. It’s building the foundation first and the ground floor first. Then once you had that privacy infrastructure in place, that’s when you start looking at technology to help you do things like data mapping, and data security, data erasure. But you, again, don’t start by going out investing millions of dollars in technology if you don’t have a privacy foundation in place. And a lot of companies made that mistake over the last year and a half. They invested millions of dollars in technology only to find out, come May 25th, they were not compliant because they did not have a privacy program in place.

Sheila 22:00

So we’re also seeing a ripple effect around GDPR. The good thing is that we’re seeing companies recognizing the importance of the right to privacy and that fundamental right that every individual has. The negative impact has been, we’ve seen an influx of marketing collateral, brochures, webinar panels by so-called experts who jump on the GDPR bandwagon claiming to know everything there is to know about privacy in GDPR. And as [inaudible] mentioned earlier, it’s almost like Y2K all over again where there was a lot of scare mongering going on by companies that, to generate millions of dollars in revenue, trying to sell an out of the box solution for a very complex legal issue. And that was a very negative thing that happened because it didn’t really explain what GDPR was. And GDPR is all about common sense. Do you have the right to collect the data? What are you collecting? We were seeing, again, a lot of marketing collateral going on but no one was talking about the importance of that solid data privacy compliance framework. And when I was bringing that up with customers, it’s almost like the light would go on and they’d say, “Now I get it. We were building a house without having a foundation or a blueprint in place.”

Sheila 23:24

There’s also a need for data protection officers. That’s a very rare expertise. And I cringe when I see a lot of companies now claiming to sell data protection officers as a service, as another staff offering when they have never operated in the privacy space. Keep in mind, I am not by any means anti-technology, technology is fabulous and incredible to allow us to grow our business, but it has to be used in the right way. And many of the technology companies, which is the reason why we have privacy laws to begin with, were the same companies that were claiming to be experts trying to solve your privacy issue. So it’s really knowing how to digest that information that’s being shared out there. GDPR is definitely influencing a global change in the way we treat personal data. In some ways it isn’t a flow in the adoption of technology but that’s going to change as people build their foundation and then learn to embrace the right technology to continue to operate. And then we’re seeing a definite confusion between security and privacy which I’ll talk about. So some of the global--

Rohit 24:29

Hey, Sheila. Sorry to interrupt again. This is Rohit. So I guess, yeah, I know received at least 30 emails in the last couple of weeks about updates to our privacy policy from websites that I even didn’t know that I had subscribed to. But I guess, you talked about technology and kind of solving this problem with kind of two different ways. But have you come across any innovative kind of business models or startups that kind of can help companies achieve GDPR compliance in terms of audit or data kind of privacy compliance or is there a technology-based solution that you thought was, “Aha! This is something that--” Or if only all your customers could use.

Sheila 25:16

Well there’s not really a technology based solution for a legal compliance issue because it’s all around understanding what data you need in order to manage the relationship you’re trying to manage or provide the service you’re trying to provide. And unfortunately, automatically people go to, “Well, we’ll just buy a solution.” But you have to build that foundation, build that blueprint for the need for collecting data, and define that basis. That’s not to say that technology is not part of the GDPR journey, but it’s not going to solve your problem completely. You have to do sort of the administrative legal work first, then you start to look at technology. And there’s certainly some very good technologies out there that will help you with the data mapping capability, the data lineage, the data portability requirements, the data security requirements. But those are just specific aspects of GDPR, not the overall compliance program.

Rohit 26:16

Okay. Got it. Please proceed, Sheila.

Sheila 26:19

Sure. So some of the country-specific in the [inaudible]/ we’re seeing-- and don’t worry, I won’t go through every bit of detail on this, but we’re seeing the greatest amount of change when it comes to privacy laws is Australia, and in New Zealand, as well as Asia. Australia and New Zealand currently are two countries that are really embracing privacy laws, have always had privacy laws in place, but they’re trying to attract more of the European business and in order to do so, they needed to amend and expand their own country-specific laws, and that’s currently what’s going on in those two countries. New Zealand is currently the only country in the Asia Pacific region that has what’s called an adequacy rating under the EU. And this was under the previous EU directive. That adequacy rating, which mean that countries in New Zealand could freely move European data back and forth, that is now in question because it is not adequate under GDPR. So New Zealand is definitely changing their laws. Australia just implemented in February of this year, their new mandatory breach notification reporting requirement. It’s a little bit different than GDPR. It’s not a 72 hour requirement, it’s a requirement that says you must report when it is reasonable that you have determined that you have had a breach. As I mentioned, Asia right now, is the fastest growing region in the world when it comes to the implementation of privacy laws. Last year, both China and Japan implemented their laws that are equal to the GDPR but no one is talking about it. Everyone is so focused on GDPR that they’re ignoring the fact that there are equally restrictive laws around the world. So that includes China, Japan, Hong Kong, Philippines, Singapore, and South Korea. I love to tell my German friends that they no longer have the most restrictive privacy law in the world. South Korea actually has the most restrictive data privacy laws in the world.

Sheila 28:21

We’re also seeing changes within [inaudible] itself. We’re seeing the ePrivacy Act which will deal with the use of cookies and electronic communication. That will be going into effect next year. It was supposed to go into effect this year but it’s been delayed. We are seeing new requirements at the country-specific level. So even though the intent of GDPR was to harmonize the laws in the 28 member states, soon to be 27, when the EU leaves, what we’ve seen is that the countries are implementing additional restrictions above and beyond what GDPR requires. Germany, Austria, Spain, Italy are prime examples. So now we’re back to having to look at, not only the GDPR, but the national laws as well. And the Middle East is definitely being impacted because there is a tremendous amount of business that goes on between the Middle East and Europe especially in Qatari, Saudi, the UAE. Israel has always had a very restrictive data privacy laws but it’s become even more restrictive now. And we’re also seeing a move towards data localization in some of those countries where they’re requiring the data to remain in country. Now there are ways to get around that, but we can talk about that offline. And then we come to the Americas. It’s very difficult for citizens and residents of the US to really understand how important data privacy laws are because the US has the least restrictive privacy laws in the world. We have what are called quasi-privacy laws. There’s an exception to every rule. We care more about security than we really do about privacy. Canada has always had very restrictive privacy laws especially in British Columbia and Nova Scotia. So as I love to tell my American friends, Canada is not the 51st state of the US. Has very different laws and in many cases, you have to go through a very restrictive compliance effort in order to move or access data from Canada into the US or a country that does not have adequate privacy laws.

Sheila 30:29

And then within Latin America itself, there are now 15 countries including the ones you see here: Brazil, Chile, Costa Rica, Colombia, Mexico, that have data privacy laws equal to what we see in Europe prior to GDPR going in effect. Many of these countries used the previous EU directive as their baseline. So some of the challenges, as we think about the new technology, although the Cloud’s not new, but it’s becoming more and more prominent-- and I’d just like to state up-front, I am not anti-Cloud by any means. I mean, Cloud is definitely the direction of the future and it makes sense in many situations. But oftentimes when organizations make the decision to move to the Cloud, they never think about data privacy laws and the restrictions. And so when you’re embarking on a Cloud journey, whether you’re a consumer or whether you’re a Cloud provider, you really need to look at what are the privacy laws around the world, and what are the requirement around data sovereignty and maintaining the data in-country or at least, knowing at all times, the location and the cross-border flow of that data. Just putting a data center in a particular country does not mean you have met your obligations under GDPR or other privacy laws because even though that data center may be in Germany, that data may still be backed up and replicated outside of Germany. It may still be supported from outside of Germany, especially if the Cloud provider has a 24x7 support module, there will be individuals outside of the country that are supporting it. Also if the Cloud provider is not an EU-based Cloud provider, they may have partners that are not located in-country. So it is really, in many cases, a false statement to say your data is located in a data center located in Europe and therefore you’re compliant with GDPR. There are many other questions that have to be asked. There’s issues around who controls that data and who actually own the data once it goes into the Cloud. What if you Cloud provider decides they wanted new data centers? You, as the customer, do you have the right to say no? Do you have the right to say whether or not that data can be backed up and replicated? Do you have the right to say you don’t want a third party supporting that environment? In most cases you don’t.

Sheila 32:55

In some cases there is a lack of transparency from many of the providers, not out of arrogance, but in sometimes out of ignorance and not really understanding what the privacy laws really mean because many of the providers talk about security, then they think as long as that data’s locked down, you’re good. It’s important as a customer to think about the type of data you want to put into the Cloud and the type of Cloud. Do you want to put the most confidential, sensitive data of your customers or your employees in a public Cloud? Maybe not. Do you want to put the crown jewels of the company, your IP, in a public Cloud? Maybe not. Maybe you want to use a private Cloud or a hybrid Cloud. There’s different alternatives to look at. You also need to look at what are the data breach remediation and contingency plans? Not only yours, but those of your providers. You need to look at security, certainly. After you’ve addressed privacy, you need to look at how that data’s protected. You need to make sure that you vet your third party providers to make sure they comply with data privacy laws, and they accept their obligations as a data processor. Every Cloud provider is a data processor. Even though they try to push back and say, “We don’t know what data you’re storing in our environment.” As long as you’re providing that environment, you are hosting the data. You are a processor under the law. You also need to look at litigation and eDiscovery. What happens if there is a legal hold on your data and your provider gets that legal hold? How do you address it? And if you are a Cloud provider, how do you handle any litigation issues that come from into forefront or how do you deal with eDiscovery issues?

Sheila 34:37

There’s also challenges when we think about IOT and AI. And again, very much like Cloud, I am totally supportive of new technologies, however there are issues that have to be addressed. When you think about the fact that 80% of the world’s data has been created in the last two years, that’s because of the exploding amount of data that’s being gathered and enhanced by the use of IOT and AI. The ability to be able to monetize data is a phenomenal development, but it also causes many privacy concerns. And that goes back to that lack of transparency. The unknowing sources of data. Who’s gathering your data? Where are they getting it from? Where are all these cameras, and sensors, and readables located that are collecting this data? Who is that data being shared with? There’s a massive amount of innocuous data that can turn into profiles of individuals by compiling information, and massaging it, and manipulating it to actually point back to a person. There’s also that inability for individuals to consent to the collection and processing of data in many cases. And that adds to many of the privacy concerns. It’s difficult right now to have adequate security within the IOT and AI devices. We’ve seen a number of issues especially from a privacy and security perspective around the use of some technologies. It’s certainly getting better. One of the best examples I use is the concept of smart cities. Smart cities is a growing phenomenon around the world. And two years ago I spoke at a smart cities event in Singapore, which is one of the leading countries when it comes to a smart cities, smart nation concept which is an incredible development and certainly can add tremendous benefits to citizens in those areas. However if you can’t be upfront and transparent with your citizens. If you can’t define what you’re doing with that data, how it’s being collected, who has access to it, how you can have it destroyed. Then those smart cities are going to become very untrusted advisories and citizens are going to lose faith in what’s happening.

Sheila 36:56

So my big pet peeve; privacy versus security. If you tell me you have world class security and therefore you’re compliant with privacy laws, I always tell people, “I will slap you,” because they are not he same thing. Although they are interconnected, they are definitely not the same thing. You can have the best security in the world and still not be compliant with data privacy laws. And I use the analogy of a bicycle wheel. Data privacy is the wheel. It’s the full life-cycle of that personal data you collect, from the time you collect it to the time you destroy it. And it deals with what data you’re collecting, how you’re collecting it, do you have the right to collect it, how are you using it, who are you sharing it with, where is it being stored, is it being transferred? It’s all of the legal and regulatory requirements. One spoke on that wheel is security. It’s an extremely important spoke, but if that’s the only spoke you’re looking at, that wheel’s not going to turn because you’re basically locking down data you’re not legally allowed to have to begin with, because you haven’t dealt with your privacy issues. And I love to use the analogy; if I go down the street, and I rob the bank down the street. And I bring that money home. And I lock that money in a vault in my house, and I’m the only one that has a key to that vault. No one can get to it. I have built a complete fortress around that money. When the police come knocking on my door, they’re not going to care because that’s not my money to begin with, and I didn’t have the legal right to have that money. So you need to think about personal data the same way. If you haven’t gone through your privacy due diligence, if you haven’t built that privacy compliance framework, that legal foundation, then the best security in the world’s not going to help you. ISO standards and certifications are fantastic but they deal with security, not privacy. So it’s important to have them but don’t mislead your customers or don’t let your vendors mislead you by thinking the ISO standards address privacy. Every Cloud provider can address security, very few can actually address privacy. And that’s why it’s so important to conduct a legal privacy impact assessment.

Sheila 39:05

So one of the things that I know that everyone’s concerned about is that under GDPR and the data privacy laws, what happens if you have a data breach, or a cyber attack, or some type of privacy incident? I go back to-- I sound like a broken record when I talk about transparency but getting ahead of the breach as soon as possible is extremely important. Being able to contain and assess the situation. To evaluate that risk. Was the data that was exposed sensitive data that could actually harm an individual? Was it financial data? Was it medical data? Was it data that could lead to identity theft? How do you notify? Who do you have to notify? How soon do you have to notify? Understanding that up-front is extremely important. And what’s your plan to prevent future breaches? You need to understand what constitutes a breach. So there’s going to be many breaches. Breaches are always going to occur. Cyber attacks are always going to occur. But how do you get ahead of them and how do you know whether or not it’s situation that you have to report to a data protection authority. And that goes back to was the data that exposed, were you legally allowed to have it to begin with, did the person give you consent? Did you have a lawful basis for processing it, and could that data potentially harm an individual because it was exposed?

Sheila 40:32

You need to have a very clearly articulated incident response and litigation plan in place, and have that Internet response team in place. Make sure that you have your privacy expert on speed dial because the privacy officer has to be directly involved in any data breach or cyber attack that involves personal data. IT is not the only organization that can deal with this. You want to get an independent perspective. If you’re not quite sure what your obligations are, reach out to a privacy expert. Be transparent and communicate. Don’t do what many companies have done. Many of the large breaches we’ve seen in the last two years, the problem is they have not been transparent and they have not communicated. They’ve waited until it was too late and so the explosion occurred. And then all of a sudden they were trying to get ahead of it but by then, they were behind the curveball. You want to show confidence, you want to show you’re in control, and you want to calm your customers. You need to repair your reputation by showing that you have a sound, careful, and concerned attitude and approach for any data breach or cyber attack.

Sheila 41:48

So how do you mitigate the risk? You need to know what your role is; are you a controller or are you a processor? You might be both. You want to be extremely transparent and understand that outside the US, the default is every individual has opted out of having their data processed until they exclusively opt in, unless you have a legal requirement to maintain that data. You want to classify your data. Know what solution makes sense for what type of data. You want to vet your third parties to make sure they understand data privacy laws. If you ask a privacy question and you get a security answer, your supplier does not understand privacy. And if you’re the supplier, you need to know how to answer a privacy question. Don’t give your customers a link to a 50 page URL on encryption because that’s not what they’re asking you. You want to ask the right questions. You want to know your risk tolerance. You don’t want to buy into marketing hype. You want to build that legal compliance framework, have clear and exclusive policies and procedures in place, conduct your privacy impact assessments separate from the security impact assessment. They are not the same thing. You conduct the privacy impact assessment before you do the security impact assessment. Have the right contractual agreements in place. Understand the difference between privacy and security and have that response plan. I think I went over one-- nope, that was it. Okay. I am going to turn it back over to [inaudible]. Thank you very much, everyone. I hope that was helpful.

Rohit 43:17

Okay. Super. Yeah. This was a lot of data and I think I am afraid about putting my personal data anywhere in the Cloud now [laughter]. Anyway, jokes apart, I think a couple questions I got along this line. It’s been maybe 3 weeks since GDPR was kind of, I don’t know what the right word is here, but since 25th of May. Are you tracking any specific events or appearances, as in we see in the news is that kind of your following as well, be it Facebook, or Google, or even among the a startups like Pinterest, they shut down one of their divisions fearing some GDPR non-compliance. Is there any specific event that you are closely monitoring?

Sheila 44:13

Yeah. So there’s a number of them going on right now. And so there have already been seven challenges filed in the courts of Europe against some of, most of them have been against the big providers: the Facebooks, the Googles of the world, some of the Cloud providers. And it’s because of, really, that lack of true transparency. Every company, it seems like, we were all inundated with new privacy policies. And it’s one thing to write a new privacy policy, it’s another thing to actually have the processes and procedures in place to support that policy. And oftentimes, some of the companies we’re seeing, and with the challenges that have been filed, is that companies are trying to figure out a way to get around GDPR so they’re making statements such as, “We will protect your data from unauthorized access and use.” However they’re still not obtaining your consent to collect that data. They’re still not being transparent around the use of that data. Some are even trying to push liability down to their customers or down to their third party suppliers which is not acceptable either. So I sit on the EU Advisory Board, so I’m very intimately involved with some of the violations or complaints that have already been filed.

Rohit 45:28

Okay. Interesting. And another quick on. As in I know in the latter half, you talked about challenges to IOT. Again, similar questions along the lines of are you seeing any innovative businesses or business models or solutions for kind of the next generation IOT companies or companies having an IOT kind of business to be more kind of compliant and be able to provide greater data privacy and transparency? As in I’m-- feels like a broader question but--

Sheila 46:00

Not really. Not really seen that yet, but I know a lot of companies are talking about it. And I’ll tell you that the companies that can actually come up with technology around IOT and AI that is truly transparent, that addresses privacy as opposed to just looking at security will have a very compelling business model to sell and will absolutely gain that competitive advantage. Unfortunately most of the companies are still talking about security and still confusing privacy and security.

Rohit 46:32

Okay. Okay. Fair enough. I know. I want to be super careful of your time, so I think we will wrap it up right here, Sheila. So, again, thank you so much for your time today and thank you to everyone for joining in. I know there are few unanswered questions. We’ll try and circle back offline after the webinar. And my contact information is on the screen if you have any more questions. And I see a lot of people have requested access to the replay. Yes. We will be sending a followup email with the link to the webinar replay in the next few days. And as always, we are looking for topics and speakers. We’re looking for people who are experts in their field and so if you or anyone you know would like to volunteer, just drop me an email. So again, thank you so much Sheila for doing this. We are a little bit more kind of aware and educated about GDPR and all the things happening with the data privacy laws. So thank you so much. Any last--

Sheila 47:44

Thank you.

Rohit 47:44


Sheila 47:46

I just wanted to thank you very much for inviting me to participate today. It’s been a pleasure and if anyone has any questions, I hope they’ll reach out.

Rohit 47:54

Okay. Again, from everyone here at SharesPost, hope you have a great rest of the week and a wonderful summer ahead. Thank you.

Sheila 48:03

Bye now.



This article does not constitute an offer to provide investment advice or service. Registered representatives of SharesPost Financial Corporation do not (1) advise any member on the merits or prudence of a particular investment or transaction, or (2) assist in the determination of fair value of any security or investment, or (3) provide legal, tax, or transactional advisory services.

Securities referenced in this article may be offered by SharesPost Financial Corporation, member FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost, Inc. Certain affiliates of these entities may act as principals in such transactions.

Investing in private company securities is not suitable for all investors. An investment in private company securities is highly speculative, involving a high degree of risk, and investors should be prepared to withstand a total loss of your investment. Private company securities are also highly illiquid and there is no guarantee that a market will develop for such securities. Each investment also carries its own specific risks and investors should conduct their own, independent due diligence regarding the investment, including obtaining additional information about the company, opinions, financial projections and legal or investment advice.

Accordingly, investing in private company securities is appropriate only for those investors who can tolerate a high degree of risk and do not require a liquid investment.

SharesPost, the SharesPost logo, My SharesPost, the SharesPost Index, and SharesPost Investment Management are all registered trademarks of SharesPost, Inc. All other trademarks are the property of their respective owners.

Copyright SharesPost, Inc. 2020. All rights reserved.


This article does not constitute an offer to provide investment advice or service. Registered representatives of SharesPost Financial Corporation do not (1) advise any member on the merits or prudence of a particular investment or transaction, or (2) assist in the determination of fair value of any security or investment, or (3) provide legal, tax, or transactional advisory services.

Securities referenced in this article may be offered by SharesPost Financial Corporation, member FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost, Inc. Certain affiliates of these entities may act as principals in such transactions.

Investing in private company securities is not suitable for all investors. An investment in private company securities is highly speculative, involving a high degree of risk, and investors should be prepared to withstand a total loss of your investment. Private company securities are also highly illiquid and there is no guarantee that a market will develop for such securities. Each investment also carries its own specific risks and investors should conduct their own, independent due diligence regarding the investment, including obtaining additional information about the company, opinions, financial projections and legal or investment advice.

Accordingly, investing in private company securities is appropriate only for those investors who can tolerate a high degree of risk and do not require a liquid investment.

SharesPost, the SharesPost logo, My SharesPost, the SharesPost Index, and SharesPost Investment Management are all registered trademarks of SharesPost, Inc. All other trademarks are the property of their respective owners.

Copyright SharesPost, Inc. 2020. All rights reserved.