EU GDPR will be there but how to start the journey - Chapter 2

How to understand what data our employees are sending and where those are used.

Last time we looked the life from understanding what is happening inside our network, let's extend our mindset also to understand how to protect the information moved inside and outside our network and how to understand and make visible, where the file is opened. Cool - is in't?

One additional thing bringing more complexity is of course the hybrid setup. Our planet is not so black and white instead it have some shade of other colors between black and white :-).

So the identity is not black white, the data location is not black and white but the IT still lives in black and white to manage same resources with less money - you got it.

So if we start from basic we need to understand the data and classify it, witch makes this big change management and communication issue from the end user view. They have been familiar to save data where ever they feel comfortable or has been used to - even that there might been some guides and policies to store the data here and there without able to reuse what colleagues has created - mine is always the best and that's why I started from scratch or use only copies what I have created.

Back to classification  - in very pragmatic view the data classification can be defined to couple class:

• Secret
• Confidental
• Internal
• Not restricted / Public
• and Personal witch makes this even funnier based on EU GDPR - nice word again.

 Sounds clear and should be easy after we have configured the new classification to our organization and when people are starting to create new document those will be classified but what about the 345 Billions old, legacy file we have like Summerparty2001 pictures and invitation and food list. In this time youngster usually says OMG - still saving so old data - you are so old school. True unfortunately - organization has migrated data transition after transition after transition from NT 3,51 or maybe from OS/2 or WARP to Windows NT 4 to Windows 2000 to Windows 2003 to Windows 2008 to Windows 2012 R2 file servers and now thinking to migrate the data to Windows Server 2016 R2 and so on. And every transition we purchase more storage, build and configure more sophisticated storage solution with maybe dedublication to save the storage but still not touching the root cause.  Let's avoid opening the backup discussion here - sorry we can't. We backup the local branch office serves offering local network share to the users for data parallel to be the first place for user desktop backups - ups, same file in X:\data\path\salespresentation.pptx Drive as file and in in X:\Backups\GasMonkey\backup22022002.something and so on. While we don't have back up solution and tape's in branch office we some how copy the data to central data center where the both files and backup files are copied to tape and archive it. Simple, nice and easy - well no.

Let's take one variable here and call it human, you know the person who talk and walk do all kind of funny things. So it saves the file created in it's PC to local drive and copy it to the local network drive parallel to send it in email to 20 best friends who might need that file or maybe not and each of these best friends save the file to their local PC and maybe even in the local network drive in their office witch is then backed up to the central data center in that region not forgetting the automated backup scripts copying the file to local network share, from where other scripts copy the file to data center were it will be backed up to tape witch maybe never ever has been really tested from bottom up.

And suddently the file is 2, 3 5, 10 or 45 times stored and using the storage capacity with value of 0 when we looked the name of the file - salesguide_2005draft.doc - frankly for this does not sound fun instead.....

And short conclusion is that technology is not limiting and root cause for this - it is the human and lack of policies and governance with data classification with retention/archiving period, detect and control and proactive communication and owned by business, lead by example with commitment.

Sounds familiar - be honest.

You got the point, we need to classify the data and we must have meta data witch triggers and is used in retention. Like start workflow to get approval to delete or save other 6 months to all files classified Internal/security and have Draft Meta Data attribute. This actually come back to the terms workflow - automate - process witch are not technical IT terminology only and we might ask from our self that are these features normal disk systems and file share give to us if your answer is yes - are those in use, if answer is no - only questions is why?

So classification is needed and it must be able to configure it automatically during document creation based on the data content like social security, bank account, credit card and so on but also allowing users to overdrive the automatic rule.

Check more data from Wikipedia using following link - if it just work.
meta data
or using following link to digital guardian  digital guardian data classification


Will continue next more from Meta Data in next article and as usually

"All ideas and thoughts are my own like pictures unless told the source"

To be Continued ..

Biker's meeting Haltiala / Finland August 2016 - approx 200 bikers ( mostly age over 40)

GDPR III and beyond

Thinking is good but also painful in IT - or is it?

Should we start from bottom up or top down when thinking of GDPR ==> Information ==> DATA ==> and finally from storage where the data has been saved in history and will be saved in future and hopefully with retention policies and archiving.

If we go back to root and ask why we have storage the answer is should be clear - we want to do business and without business there is no process to create data and demand for strorage. This should be clear for all but when we take some perspective and look outside the IT might still define what is the storage architecture used for everything and it has worked earlier but today, it's not so obvious anymore and IT need to discuss more with business to understand it's demand and how IT can bring new ideas and be enabler rather than ongoing cost.

What if we turn the idea upside down and start to think what kinf of profile we have in the organization like:

• Finance
• HR
• Sales
• Communication
• Training 
• IT
• R&D and product development
• Procurement
• ...departments...

- where each organization silo or department or business units uses their own application and creates data in their required format witch can be totally separate what other units will manage. Parallel the change from on premise to public cloud and SaaS services has spread the corporate's data - not only one data center any more with full control -  to multiple location regardeless if it has been beyond own IT's capabiliteis to offer and deliver required services or business decission.

Nevertheless the data mass is growing, it's format is extend from traditional static file to audio and video files and formats but who actually design where these should stored, how they should be available for the end users and how long and to whom and how long they are valid. Sounds like it has something to do with governance, policies, meta data blah blah blaah, and still the questions where to save these data and have clear, measurable benefits from them....

I asked my self multiple time how the GDPR and this topics mirrors to storage and answer might not at all and sametime from everywhere depending of the data content, does it include personal data, is it business data and is it valuable business data, is final version or draft version, is it searchable, is there  retention polices to delete information and data when there is no legal reason to save the data anymore with the question what is the value of the data.

And liked or not,  we come back to the basic questions of who owns the data and who creates data / information. Where the answer is Business and Sales Person managing opportunties in CRM and sending approved Proposals to the customer based on RFP as an example. If we simplify even more and start to split the tasks smaller and smaller part to understand what kind of information is handled in RFP response, we can quite easily find to type of data; structured data (customer information like anddress, contact persons, sales activities calls and emails, campaings...) managed in CRM solution and unsturctured witch is actually the result or deliverable - The Proposal.

Sounds simple, it can be or not depending of the business and the size of it.

Let's open the RFP response process. Sales person creates new  opportunity to the CRM, maybe with workflows to get intenal approvals to even start to work and staff resources and create the BID team.

The Bid team is like small project where the BID manager is responsible from the schedule and deliverables witch are usually printed or electric documents based on RFP requirements. The work requires experts and SME's able to create the solution, estimate the solution workloads and components, estimate the schedule, create the finance, define what is in the scope and out of scope, what are assumption. All these needs to be, usually, approved by business that yes this is what we want to sell and is what customer is asking in the RFP, by delivery - yes we delivery this in the presented time windows and resorces, by finance - yes all the financial like FX's, invoicing cycle, Internal fundings are align and by legal - yes from legal point of view we are OK.

Simple, but thinking this small project and data created, itj's not only the customer RFP answer file, instead it is bunch of excels, drawnings, technical documents just name it. Now we can ask a questions from us, where are we going to store these files, and sorry but even before that aks that how would we work and manage versions, how we share files, how each person now what is the current version, what are additional material and what if we need restore some part we already deleted. If we make this even more complex that all the BID team resources does not work in the same office, it will increse the internal cost to get people to work in same place unless....

OMG, question again. How good our current CRM solution supports collaboration and communication during the BID work?

• Brilliant - all the way all communication and collaboration features available from one application / service
• Good - some minor issues like lack of  IM, Share or comment or review features as an example 
• None - we can manage customer and upload document, send emails from client with preformated emails but our CRM role is for Customer relationship  and sales activities but not creating document.

What was your answer?

Same way when you are using online web shop to buy a book, the system does not include writer and printing press or forklifts moving the boxes, it includes only the customer data and the sales items and orders ==> The end product it self, not draft, not forklifts, not paper, not ink ==> the end product.

So based earlier user profile we can identify data stored to two different location based on the nature or the information:

• Managed Data - Data in CRM system (Microsoft Dynamics 365, SalesForce (might be some others too :-)) like customer name, address, contact persons, opportunties, status of those, value of the opportunity, signed proposals send to the customer and hopefully signed contracs too with terms and conditions
• Unmanaged Data - Data saved in SharePoint Online (are there other competitive solution available with end to end integration to communication and analytics...) like Word, Excel, PowerPoint, Visio, AutoCAD and other files with version history (major-minor), meta data and data classification, workflows and so on not forgetting the search capability. We have offer this kind of services or product earlier lets find cases and use copy and past the reduce the time for proposal and parallel to benchmark the price. And these also with offline capabilities with automatic syncronization and sharing capabilities.
•  

Based on earlier we start to talk about digital workplace and digital work where user can work from anywhere, use any devide and like approve the final version using phone or tablet, edit the same document version at the same from different location - All features not usually available from CRM.

As said earlier each business units has different demands and while thinking to upgrade the infrastructure one good thing is to analyze each application and service of how they use storage, what requirement they have from infrastructure based on user demands. Summarize those to undestand the big picture and then with innovation and digital on mind start to find the solution. Even that it might have bigger impact than moving data from old storage to new without any change.

As said starting from business view, moving to user profiles and understanding they daily work and information they need or create is pragmatically quite valuable and should drive the future roadmap to digital workplace.

Still keeping mind the lesson from my grandpa - the poor can not afford to buy cheap - meaning you have to buy two - first the cheap and then the more expensive.

To be Continued.....

"All opinions are my own"