Remember and learned something from year 2000 change --> Be smarter with EU GDPR

From year 2000 IT change to next big change - EU GDPR

How many of us remember the IT workload when we came from history 1900 to new and magnificent 2000 century and Windows 2000 Active Directory and changes in the application and so worth - was great time for trainers. Running from customer to customer and keeping Microsoft MOC 1560 NT 4 to Windows 2000 Upgrade and our own Windows Server 2000 courses.

That was the history part and lets keep it there - but this brings at least to my mind how we have prepared to May 25th 2018 when the EU GDRP comes in to effect.

The answers varies, some organization does not even know from this and others have started to prepare and others are between and or does not do anything.

Other questions is the possibility to use the law wrong way where criminal organization start to recruit people or asks people to go from one organization to another ask's them to show what they have from them and please forgot me.

Sound's like DDOS Denial-of-Service-Attack's and all based on law.

How many requests one organization can carry and use resource for this? How many resource and FTE's time they can spend to go through the request and understand if there is any risks that yes there might be some personal data from that user user who made the request.

What if I will pay 5$ per user to make the query to any global services offering organization like eBay, Amazon, Microsoft, Netflix - you know what I mean. Let's assume that someone invest 10 000$ and get 2000 users to make the request to three company Amazon, eBay and Netflix and find data from them. Based on the law they need to analyze what they have from those user's and it might be nothing - those users has not even create account to any of those services but the labour cost to do the analysis is somewhere. Then investing another 10 000$ for the same user to register and create account to those services and make the request to be forgotten after registration. Can they say that we dont have any data from your while we did the check earlier and based on law -- wrong answer. They need to do the analysis again witch equal to labour cost, time away from more productive and so on.  Then after being attacked this way too many times they answer to next user that no way, go away - we are not going to analyze you and forgot you - but this time the request like forgot dead relative

This is only an illustrative example where organizations needs to prepare and the question stays still - are they ready 25th of May 2018 unless the law.... who know's


Nevertheless, this brings to quite major topics on the table:
1. Do we know data we have and where?
2. Is our applications supporting this, application done and published earlier and/or applications in development phase?

Let's take other illustrative example using Facebook as an example. Your husband or wife has been active in Facebook and suddenly he or she died and husband or wife has to fight to get the account and profile deleted (witch opens other question of groups he/she has created and is the owner for it - what happens to those groups and data insight them witch mostly might be personal data - but that is another story and let's go back to org example) and finally got confirmation from it. Then, suddenly something happens to at the Facebook service and they are forced to restore the data - what happens then?

I don't know - sorry.

But I can bet that for relative's, it's not fun at all to see the wife or husband back and active.

This is just and example based on no knowledge how Facebook works to avoid this kind of situations but again bring the same questions to my mind - Are they ready?

So if go back to the key questions and start to think those two and start from knowledge. Structured data is easier (or not) to understand and know what we have while it is usually in database and we know where the application and database is used - correct?. The opposite - unstructured data is or should be big head ache to organizations business, risk management, security and IT.  While this is not related only to data, it's not enough that you analyze what you have in your collaboration tools and file shares but it goes also to identity and now talking privileged accounts running applications witch might user file shares as part of the small, legacy applications, do you know those, when the password has changed last time, do you have any detect and control process in place.........
The world legacy and history have huge weight here where the data has been migrated from upgraded storage during years without deleting - usually - anything.

It's payback time -unfortunately. Same way that organization using legacy Notes mail and application has explain that they saved them to bankruptcy while staying in the same license and hardware too long - it was good idea and the cheapest in short term but there is no free cheese.
It cannot be expected that if we stay in the same version, others will also do, and that there is no influence in today's social world to the brand where people to share the they are using old tools and techics in their daily work. To days digi native will vote with their feet and we can bet that their social friends will now the reason per yesterday.

Let's get back again to the unknown unstructured data and what it is. So data migrated between years from old to one without deleting together with growing data trends and user behavior. Traditional file shares does not have - usually - data classification, index and search capabilities, versioning, available from mobile - you know and can name those - there is not unless you have purchased 3rd party like Veritas Enterprise Vault archiving tools, tool you have tried to get way during email migration to the Exchange Online as good example.

So you find anykind of, age, usage and amount of data, from where you might use and know about 10-20% and other data is just storage cost - and now we are back in business - Euros, Dollars, Pesetas, Ruplas  you name it  - Money talks and in here with small example.

Assumptions:

• 24000 users
• 50 GB average disk quota per user
• 20% active and valuable data
• 3,5$ / GigaByte the managed storage cost (can be from 2-5$ per gigabyte)

Calculation (24 000*50GB*3,5$)=4 200 000,00 dollars per year - not bad.

But lets calculate what is the Dark Data size and price - so the data without any values (note here that even if old data it can be valuable like old product drawnings, contracts and so) 24 000*50*0,8=960 000 GB = 3 360 000,00 dollars for nothing. For me it sounds quite good business case.

As said, theoretically it is easy show the business case but this really requires more analysis while the 80% of total storage usually includes installation medias, backups, virtual machines disks, .ISO images, zip files and so on and today and even more in the future movies and audios files and of course including unknown amount of duplicates.


So if look back to title and year 2000 there are some common like

• Yes, it impacts to whole organization
• Yes, it requires change
• Yes, it requires finance or you take the risk of penalties. Recommend to read with your risk organization together with business, legal, security and IT.
• Yes, it include your directory services
• Yes you need end user training and communication

If done correctly with right partner you might achieve benefits like

• Yes, you can sleep your nights
• Yes, this is the time and place to upgrade and adopt governance and start to monitor
• Yes, you increase your security
• Yes, you make your or increase your data's value
• Yes, the data in static file server should be available from any device and any time and any where (who remember this from Microsoft and who and when?)
• Yes, might reduce your storage cost
• Yes, this time to create and adopt workflows and retention polices to start know the data and let automation to take care unvaluable data
• Yes, your outsourcing contracts will safe you
• Yes and No - you might need to run project to change the partner or hosting provider to sleep your nights
• Your data is available
• Better user experience and work performance while data can be found.
• Yes, you stop the snowball effect where the situation creates exeption witch creates exeption witch makes everything more complex, increase the security risk and time consuming equals to money, frankly.
• and much much more.

But this was today's story.

Todays picture brings the summer, sun and hot roads.. Feel it.

Shortly - I would

"All comments, thoughts and pictures are my own and I don't have legal background"

GDPR III and beyond

Thinking is good but also painful in IT - or is it?

Should we start from bottom up or top down when thinking of GDPR ==> Information ==> DATA ==> and finally from storage where the data has been saved in history and will be saved in future and hopefully with retention policies and archiving.

If we go back to root and ask why we have storage the answer is should be clear - we want to do business and without business there is no process to create data and demand for strorage. This should be clear for all but when we take some perspective and look outside the IT might still define what is the storage architecture used for everything and it has worked earlier but today, it's not so obvious anymore and IT need to discuss more with business to understand it's demand and how IT can bring new ideas and be enabler rather than ongoing cost.

What if we turn the idea upside down and start to think what kinf of profile we have in the organization like:

• Finance
• HR
• Sales
• Communication
• Training 
• IT
• R&D and product development
• Procurement
• ...departments...

- where each organization silo or department or business units uses their own application and creates data in their required format witch can be totally separate what other units will manage. Parallel the change from on premise to public cloud and SaaS services has spread the corporate's data - not only one data center any more with full control -  to multiple location regardeless if it has been beyond own IT's capabiliteis to offer and deliver required services or business decission.

Nevertheless the data mass is growing, it's format is extend from traditional static file to audio and video files and formats but who actually design where these should stored, how they should be available for the end users and how long and to whom and how long they are valid. Sounds like it has something to do with governance, policies, meta data blah blah blaah, and still the questions where to save these data and have clear, measurable benefits from them....

I asked my self multiple time how the GDPR and this topics mirrors to storage and answer might not at all and sametime from everywhere depending of the data content, does it include personal data, is it business data and is it valuable business data, is final version or draft version, is it searchable, is there  retention polices to delete information and data when there is no legal reason to save the data anymore with the question what is the value of the data.

And liked or not,  we come back to the basic questions of who owns the data and who creates data / information. Where the answer is Business and Sales Person managing opportunties in CRM and sending approved Proposals to the customer based on RFP as an example. If we simplify even more and start to split the tasks smaller and smaller part to understand what kind of information is handled in RFP response, we can quite easily find to type of data; structured data (customer information like anddress, contact persons, sales activities calls and emails, campaings...) managed in CRM solution and unsturctured witch is actually the result or deliverable - The Proposal.

Sounds simple, it can be or not depending of the business and the size of it.

Let's open the RFP response process. Sales person creates new  opportunity to the CRM, maybe with workflows to get intenal approvals to even start to work and staff resources and create the BID team.

The Bid team is like small project where the BID manager is responsible from the schedule and deliverables witch are usually printed or electric documents based on RFP requirements. The work requires experts and SME's able to create the solution, estimate the solution workloads and components, estimate the schedule, create the finance, define what is in the scope and out of scope, what are assumption. All these needs to be, usually, approved by business that yes this is what we want to sell and is what customer is asking in the RFP, by delivery - yes we delivery this in the presented time windows and resorces, by finance - yes all the financial like FX's, invoicing cycle, Internal fundings are align and by legal - yes from legal point of view we are OK.

Simple, but thinking this small project and data created, itj's not only the customer RFP answer file, instead it is bunch of excels, drawnings, technical documents just name it. Now we can ask a questions from us, where are we going to store these files, and sorry but even before that aks that how would we work and manage versions, how we share files, how each person now what is the current version, what are additional material and what if we need restore some part we already deleted. If we make this even more complex that all the BID team resources does not work in the same office, it will increse the internal cost to get people to work in same place unless....

OMG, question again. How good our current CRM solution supports collaboration and communication during the BID work?

• Brilliant - all the way all communication and collaboration features available from one application / service
• Good - some minor issues like lack of  IM, Share or comment or review features as an example 
• None - we can manage customer and upload document, send emails from client with preformated emails but our CRM role is for Customer relationship  and sales activities but not creating document.

What was your answer?

Same way when you are using online web shop to buy a book, the system does not include writer and printing press or forklifts moving the boxes, it includes only the customer data and the sales items and orders ==> The end product it self, not draft, not forklifts, not paper, not ink ==> the end product.

So based earlier user profile we can identify data stored to two different location based on the nature or the information:

• Managed Data - Data in CRM system (Microsoft Dynamics 365, SalesForce (might be some others too :-)) like customer name, address, contact persons, opportunties, status of those, value of the opportunity, signed proposals send to the customer and hopefully signed contracs too with terms and conditions
• Unmanaged Data - Data saved in SharePoint Online (are there other competitive solution available with end to end integration to communication and analytics...) like Word, Excel, PowerPoint, Visio, AutoCAD and other files with version history (major-minor), meta data and data classification, workflows and so on not forgetting the search capability. We have offer this kind of services or product earlier lets find cases and use copy and past the reduce the time for proposal and parallel to benchmark the price. And these also with offline capabilities with automatic syncronization and sharing capabilities.
•  

Based on earlier we start to talk about digital workplace and digital work where user can work from anywhere, use any devide and like approve the final version using phone or tablet, edit the same document version at the same from different location - All features not usually available from CRM.

As said earlier each business units has different demands and while thinking to upgrade the infrastructure one good thing is to analyze each application and service of how they use storage, what requirement they have from infrastructure based on user demands. Summarize those to undestand the big picture and then with innovation and digital on mind start to find the solution. Even that it might have bigger impact than moving data from old storage to new without any change.

As said starting from business view, moving to user profiles and understanding they daily work and information they need or create is pragmatically quite valuable and should drive the future roadmap to digital workplace.

Still keeping mind the lesson from my grandpa - the poor can not afford to buy cheap - meaning you have to buy two - first the cheap and then the more expensive.

To be Continued.....

"All opinions are my own"

GDPR to be continued II

Thinking...

When we think about GDPR and user data we can share the data to managed data with application, business logic and data base layers usually and then unmanaged data witch is more data in File servers or SharePoint or any document management data where the data is handled more like a concreate units like file with lots of words rather than smaller part of information as part of the larger information like address in CRM solution from one individual customer.

If we focus to unmanaged data we open or at least in my mind come millions of questions like governance, retention and archive policies, Meta Data, data format, data content, where to save and what data, what kind of storage architecture we have to support the type and value of the data, what kind of security policies we for data, do we classify data, do we protect data, do we have any kind of data lost prevention / protection mechanism in place, how do we recognize security breach (we don't) how do we detect and control if any security issues or un normal user behaviours in place, how do we backup and restore data, how do archive backups, how do we handle security logs if any, do we know how many dublicates we have, do we know how many movies or cat or dog pictures we hae in our system with x amount of copies, does our user know what and were to save and what type of data and maybe one hardest questions how our search works, how much our employees use time for searching something what they know to be stored somewhere but what could not be found and how much we have data from what we don't know at all.

Funny thing is that organization spends globally huge amount of time = money to find data from the data mass where part of the data is unvaluable and not required to stored based on any laws any more. Reason has been just if if if if if - you might heard that if aunt have b..s she is uncle or that if cows fly or if kids has guns and so on.
All these impacts to end user experience and efficiency witch impacts negatively to users and organizations productivity and the shares and dividends organization is paying.

All these should be seen as part of the organization digital workplace journey where the data is available, searchable, have value and old data will retire and be deleted or archived. The data is not seen as a data it is seen as asset and value for the organization

I will be the CEO or chairman of the board this would a one thing I'm interesting at least that moment when some one told that if worst case happens we have to pay penalties of 4 % or 20 million euros from total annual worldwide turnover - witch is higher.

So from where to starts is great questions and have multiple approach how to start - but without boards engagements and commitments to this why to start while you cannot achieve and realize what you are looking for. You must have the commitment from highest and get the most senior people to understand the background cross organization units; Business, HR, Finance, IT, R&D, Production... you name it.

But let's get back to unmanaged data where might be the most of the unknown information from where the organization don't have any understanding.

Regardless of your business, are you at the finance, production, resource, health care, high technology i assume that you have couple of file servers in branch offices, data centers, couple of SharePoint where the data migration was postponed due the poor finance and maybe separate document management system like Documentum and product lifecycle management PLM applications and based on users the data is not stored where it should be witch makes it unvaluable while not founded, too many versions and no knowledge of the latest version with right data.

One question you should ask from your business is "Do we know what GDPR means and how it impacts to us?"

To be continued

"All comments are my own"