The general points of The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) were assessed in the Digital Journal article “European business needs to get smart about data protection.” However, there are choices that businesses need to consider in terms of practical application.
There are also a range of data privacy issues for global business to consider. Spencer Kimball, who is the CEO of NYC-based Cockroach Labs, spoke with Digital Journal about rising data protection regulations and what companies need to do to prepare. Kimball notes that with even the smallest start-ups launching globally from day one – data privacy is not just an issue for large companies.
Digital Journal: What are the main issues facing businesses today?
Spencer Kimball: Businesses are increasingly leveraging the public cloud to increase agility, cut costs, provide a better customer experience and expand into new markets. By 2019, it is predicted that more than half of IT infrastructure spend will be in the cloud technologies — including public, private and hybrid cloud technologies.
However, the reality is that this golden promise of the public cloud is often not achievable because complexities around developing solutions for multi-regional latency, data integrity, and policy problems that threaten to stall those plans.
DJ: Does this present challenges?
Kimball: Companies face two main challenges as they transition to the cloud:
First, maintaining compliance with international data privacy regulations. More so than ever, companies are looking to expand to other regions in the country and Internationally. However, the process of building a distributed data architecture that spans different regions and countries, keeps track of where each customer’s data lives and complies with a growing list of data privacy laws from the EU, China, Brazil and others is extremely complex. With even the smallest start-ups looking to operate globally from day one, this is no longer exclusively a big enterprise problem.
Second is with rising customer expectations. Engineering teams need fast, scalable, and predictable performance to meet the increasingly high expectations of their global customer base.
Businesses need enabling technologies to help with this transition. The current crop of databases are falling down in this new environment.
DJ: What complexities does the digital landscape add?
Kimball: Up until now all public cloud providers and private cloud management providers offered distinct capabilities for operators. As a result, businesses have had to contend with too many technologies with very little standardization. For example, there has been a huge proliferation of technologies to support operations for deployment in this new and rapidly expanding and evolving ecosystem.
On the database side we have MongoDB, Cassandra, Postgres and traditional enterprise databases including Oracle, SQL Server and cloud databases like Azure, Oracle as a Cloud and new entrants like CockroachDB and Aurora. On the orchestration side we have Docker, Mesosphere, Kubernetes – which has the most momentum – and Cloud Foundry. While all of these tools make things easier by making what were unretractable problems retractable – the sheer number of tools adds to growing complexity and cost.
DJ: Why are governments pushing through more data privacy legislation?
Kimball: From Snowden’s revelations, Facebook’s recent data privacy scandal, to Russian hacking it has become clear to consumers and governments alike that privacy of digital information cannot be taken for granted. There is a general feeling that even good actors can’t be trusted.
As a result, governments and companies need to put a premium on protecting consumer data. In some cases, companies will do this on their own accord when it is a foundation of their value proposition but in most cases history has shown that regulation is a more effective way to guarantee compliance with big stick regulations. The EU has long been at the vanguard of protecting its citizens’ data but fast evolving digital threats has led EU to put sweeping a new regulation — GDPR — in place.
DJ: What are the implications of GDPR for a typical business?
Kimball: New government regulations like GDPR put significant financial and organizational pressure on companies. They also impose restrictions on companies who do business in their geographic zone, regardless of where the company is located. The GDPR explicitly acknowledges the protection of natural persons in relation to the processing of personal data as a fundamental right.
As such it imposes a number of restrictions on companies such as obtaining legal consent to process personal data, appointing a data privacy officer, privacy by design, and a number of other data subject rights. Companies can face fines of 4 percent of annual global turnover or €20 Million (whichever is greater) for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts). It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
DJ: Do the responses need differ between major corporations and new start-ups?
Kimball: The dream for start-ups and growing enterprises alike is global expansion, opening the company to new revenue and new markets. GDPR will make the dream of global expansion more difficult — and more expensive. While we can assume that the EU will be scrutinizing large enterprises more closely than small start-ups, a start-up that quickly amasses customers in the EU will be lucky to escape without censure if they don’t follow the rules. As a result, we are expecting that the responses from both start-ups and enterprises will be similar.
DJ: How about companies that provide business-to-business services, like database vendors?
Kimball: All of the same rules apply. Business to business service companies will be required to not only comply with GDPR regulations themselves, but will need to help their customers comply with GDPR. For example, a US-based SaaS company will need to make sure that data is stored in the right country.
DJ: How should companies be responding to such data privacy legislation?
Kimball: Organizations that have multi-region or international customers will be challenged to find ways to keep data near their customers. They will be forced to sort out where all of this data resides, then keep track of it and secure it by industry security best practices. This will be no simple task – in many cases, enterprises will need to redesign their database architectures.
They will increasingly turn to distributed databases and inexpensive cloud services that are popping up in regions around the world to bring order to consumer data and bring, and keep, data closer to the customer. Open source tools and frameworks like Kubernetes and Docker will put these capabilities – that were once the domain of only the largest companies – within everyone’s grasp.
DJ: What services does Cockroach Labs provide to aid businesses?
Kimball: CockroachDB 2.0 helps organizations to simplify and automate the process of building multi-regional or global data architectures. A new feature called geo-partitioning gives developers the ability to direct the movement of data across servers at the database, table, and individual row level. For example, data from German customers could be directed to only exist in and be accessed from Germany. This update keeps data close to customers and presents a foundational building block for helping companies comply with data regulations like the GDPR.
DJ: Which types of businesses do you work with?
Kimball: Our customers span many industries including tech, financial services, online gaming; they come from countries around the world and include startups and large enterprises alike. Some of our customers include Mesosphere, the cluster management platform building DC/OS; Tierion, a blockchain company building a global data verification platform; and Kindred, one of the world’s leading gaming companies, with more financial transactions per year than household names like PayPal
DJ: As a final question, which types of technology most interest you?
Kimball: The most exciting technologies in the horizon are blockchain and machine learning-based technologies that push the boundaries of what can be automated. The advancements we are seeing from self-driving cars to medical diagnostics is just the tip of the iceberg.