Data Privacy Laws:
Where Do We Go From Here?

Robert Cruz: Thanks, and thanks everyone for joining, really appreciate your time.

We’re going to spend the next 45 minutes or so talking about data privacy. Where do we go from here? As you saw in the invite, the emphasis that we're going to place here is on firms that are subject to specific industry regulatory compliance obligation. Firms in the banking sector, in the insurance market, and in technology. So, not as much focusing on those businesses whose primary business is to sell consumer information, but more on organizations that have to reconcile their industry regulations with these new data privacy requirements.

Let me just kick off here by first going to the disclaimer statement, which for this topic is very important. Smarsh provides this material for informational purposes only. Smarsh does not provide legal advice or opinions. You must consult with your attorneys regarding your compliance with specific applicable laws and regulations. Critical here because we need this dialog between the compliance executives, and the privacy executives to make sure that these items are being properly vetted internally within your companies.

So let me first show you what we're going to talk about, quick introductions. We're then going to start with the discussion around GDPR. GDPR essentially provides a blueprint for how some of these privacy regulations are beginning to take shape within the United States. We'll talk about the lessons learned from GDPR, and then kind of turn to the discussion around U.S. privacy law. We'll then spend a little bit of time discussing some of the actions we think firms should take, we see firms taking today in order to be in front of some of these ongoing challenges, and very dynamic privacy regulations. Finally, we'll tie it up with just a brief overview of how Smarsh can help.

First, by way of introduction, let me introduce my colleague Shaun Hurst in the United Kingdom today. Shaun, if you could give us some of your background and your expertise in this area of data privacy, and GDPR.

Shaun Hurst: Hi everyone. My name is Shaun Hurst. I'm a technical director for our international division at Smarsh, and before joining Smarsh I actually worked in a very large American bank for about 15 years. I spent a good few years doing a lot of work around investigations, security compliance. I've brought that knowledge with me to go on the other side of the fence, as you'd say, to be able to address these concerns from a solutions point of view. So I hope I'll be able to give you a bit of insight into what I'm seeing here in Europe with GDPR being enforced now for almost a year, more than a year now, and my colleague, Robert Cruz.

Robert Cruz: Thanks Shaun. And Shaun will say privacy, and I will say privacy. Shaun in London, I'm based in the Bay Area. I've been based in the Bay Area for most of my career working in the area of regulatory compliance, e-discovery, records management, essentially working with our clients helping them to sort out some of the challenges and issues in deploying our technology to address these very complex use cases. Very much look forward to chatting with you, Shaun, on this very important topic today.

For those of you that may not be as familiar with who we are as an organization, Smarsh has been in existence for 15 plus years. We have demonstrated strength in the regulated industries. We have a comprehensive set of capabilities that encompass both the capture of different communication sources, the storage of that information, and then the ability to leverage that data to address the regulatory compliance, to address the data privacy, to address the other mandates that companies have to deal with as part of their governance initiatives.

Providing technologies that we'll talk about at the end, but really, supervisory review of these communications as well as preparation for e-discovery, litigation, and investigations has been the primary use case that's been driving our customers.

We've been recognized as a leader both in the Forrester Wave as well as in the Gartner Enterprise Archive Magic Quadrant. We are two entities combined now. We merged with Actiance in the spring of 2018. So bringing us a broad portfolio of capabilities, different solutions for different size organizations, different levels of complexity, which we'll talk about here at the end of the session.

As I mentioned, I think in discussion of data privacy in the U.S., a good place to start is looking at the blueprint that was set forth by GDPR in the EU in the past year. Things have been learned as part of the implementation, things that companies are going through. So let's start there, and Shaun why don't you give us a run-through of kind of what we've learned, what GDPR is about, and some of the key things that companies have been doing in order to stay in front of these specific regulations?

Shaun Hurst: Sure. A bit of a recap on GDPR itself. It was adopted in 2016. It went through a long process of back and forth between all the members states in Europe to agree on what the regulation should actually look like. It actually came into effect in 2018. There was a lot of preparation, a lot of confusion in the run-up to GDPR being adopted. There were people like myself trying to decipher some of the new regulations that came in. Also, companies trying to find out whether they actually were adhering to these regulations, or what they needed to do to change to be able to adhere to these regulations.

It applies to EU citizens, and what's important here is not just EU citizens in the EU, but EU citizens wherever they may reside. So you might be an American company... we have some examples a bit later of some American companies that have been fined because they’re processing EU citizens' data in maybe the wrong way. That's something very much to keep in mind, and I'm sure it's going to have an impact as well in some of the regulations that are coming up in the U.S. the fines, this is the scary bit here. The fines are large. We have a maximum of 20 million Euros, or four percent of your gross. Those fines, I've actually seen them be a bit larger, but that's because these fines have spread across multiple jurisdictions. It's not only GDPR, or the ICO that are actually mandating these fines. Other areas and other countries are looking at these companies that have been doing things a bit wrong, and there's been some significant fines. Again, we'll see a bit later on in this presentation.

The change in process. So we have a data protection officer. This is something that's common that for the majority of companies that I deal with here in London and as well in Europe, there are over 250 employees, and that's essentially the lower limit. If you have 250 employees and more, then you needed that protection officer. There are other companies that maybe have fewer employees that might still need to have that protection officer, but that is if your core of your business is dealing with public information with data privacy and information.

So the 72 hour notification of breaches, there's a lot of these time scales that come in. 72 hour notification of breaches, there's also 30 days for you to be able to respond to requests for data, but the 72 hour notification of breaches—this is where quite a few companies have come up short. And also where some companies have actually done a very good job, which is why you're hearing about these breaches so much quicker these days. They'll be in the news within 24 hours of a major breach happening. So I'm sure a lot of you have already received emails from potential breaches from companies like eBay and a few others out there. That's basically partly as a result of GDPR making sure that people are aware of their data potentially ending up in the wrong hands.

But like I said before, we have the 30 day response time as well. That's for your right of access to your data, or as we have it here, the right to inquire, which is Article 15 of the regulation. This one here has also called a few people out because how do you find this information? If I come to you as a client of your company and I say, "Please, I need all my data. I need you to provide it in a nice usable, readable format, and I need it all within the next 30 days." If I've been a customer of yours for the last 10 years and you happen to keep all the data for the last 10 years, you're going to have quite a job on your hands to put that together in a nice document and send that out. So a lot of companies have been called out for that, and a lot of the work that I've been involved in is trying to get companies in a position where they can respond far quicker to these responses because, again, there are fines for not responding in time.

So you have also another scary one here, which is the right to be forgotten or right for erasure. This one has also really been a bit of a sticking point for a lot of the people that I work with because this is where you start having a bit of a conflict as to the regulations that you're having to adhere to from a financial perspective... so in Europe we have MiFID II, which came out around the same time as GDPR, which is stipulating you have to store your data for a certain period of time..it has to be retained, and then you have this requirement from GDPR perspective that says, "A person has the right to have their data deleted." Now, it's not an absolute right, there are some caveats there, one of those being from GDPR perspective, that if the data has legitimate business use, then you don't really have a right for it to be deleted. But how do you decide whether that data has a legitimate business use? That's where the question comes up.

And then right to restrict processing. This is about what you're actually doing with that data. How are you using it? Are you doing some clever analytics with data that you're capturing? Maybe it's from websites, maybe it's some cookies. That'll be another aspect of people's lives, especially if they don't live in the EU, and they still have to get those big pop ups on all the websites these days where you have to accept these new rules and the terms of use, which has come down from GDPR. That's because people are trying to cover themselves to make sure their data is being processed in a way that doesn't breach these data privacy laws. I think there's a lot of websites out there that are very forward looking when it comes to this because potentially you might not be speaking or dealing with an EU citizen, but that's not to say that regulations like GDPR aren't going to be common place and, as we are going to discuss today, it definitely is going to be a more common place over the coming years.

Then privacy by design. This is something that we adhere to very strictly with our own company. We know how important this is, making sure that everything we do, the designs, how we put together our product is done from the ground up with privacy in mind. That's no different from the financial institutions that have to also implement these new regulations. They also need to think about it not just from an endpoint, "Where's my data? How am I storing it?" They've got to think a bit deeper down procedures, and policies. They’ve got to think about how that data is actually ultimately stored, what sort of devices, who has access to them. So there's a lot to consider and, again, that's been quite a sticking point for a lot of people, and it's meant a lot of money maybe upfront for people that haven't had good design in place with privacy in mind, but it's all for the betterment of the storage of that data, the usage of that data, and also uncovering the information that might be stored that is effectively gold. It's information that can be very useful for yourself as a company not only from a privacy point of view, but also from potential analytics.

Robert Cruz: Yeah. Shaun, I think those last four bullets are definitely pillars that you'll see in both the California laws as well as other laws that are in process of being legislated in other states. So very much a framework for the other rules that are taking shape.

So let's talk about what are the regulators? What have they done? What are some of the areas that they've focused on? Are there particular themes that have emerged over the past year as far as where the privacy authorities have spent their time? What are you seeing from their lens?

Shaun Hurst: Well, what is quite interesting... we'll take this from another angle, the companies that I was speaking to before GDPR came into play, we spoke with a lot of companies who thought we were just scaremongering that GDPR was going to be another Y2K problem, and they had nothing to really worry about, nothing was going to change. But you can see on the screen here there have been significant fines. These are only some of them. We have 281,000 cases logged in the first year of GDPR. I was having a look through this morning for some of the more recent ones, and there's some interesting ones that are popping up, and they're coming in every month. There's a whole bunch more coming in every single month. Look, there's Facebook, that's one that I think a lot of people on this webinar today will be familiar with. We're looking at some real breaches there that have cost them a lot of money.

Like I was saying before, there are certain fines, and there are limits to how much companies like Facebook can be fined by the ICO, which is the information commissioner's office, they got fined 500,000 pounds. However, there's an FTC settlement there of five billion. I think with GDPR bringing these things to the forefront is what's exposing a lot of these companies. You'll notice down there Equifax as well, 700 million FTC settlement. Again, they were only fined 500,000 pounds by the ICO, so not exactly a lot of money... or 500,000 U.S. dollars. Not a lot of money in the grand scheme of things, but it's sort of laid the foundation for that extra fine that came along.

We can see a few others there, Google, that was a good hit, quite significantly. British Airways, that was very big in the press here in the UK, and I think they've learned their lesson. I think that's the biggest fine I've seen locally where the ICO have actually fined. A lot of real fines that have been very apparent here. And the people that were closing their eyes to the problems that GDPR might've introduced, or at least uncovering some of these issues, I think their eyes are wide open now. They are making sure that they are getting themselves... well, making sure they're not going to be on this slide the next time we do this presentation.

Robert Cruz: Right. Shaun, I read something pretty interesting, which maybe you can validate, in those two top cases in particular the major stumbling block was dealing with the right of access response, just being able to respond to the individual inquiries that came in within the time period that was specified. That seems like it was one of the problems that is common across these.

Shaun Hurst: Absolutely. In fact, the latest enforcement notice that I've seen on the ICO's website is Hudson Bay Finance Limited. That was exactly what you're talking about. They had an enforcement notice for failing to respond to a subject's access request. So it's not just not responding to it in time, but they just have no way to respond to it. That's scary. At the very least, you should know where your data is, and what it is. If you don't know what it is, how can you get it? How can you gather it? How can you download it? So it's an interesting time for a lot of companies that have never really thought about things like eDiscovery, never thought that it pertained to them maybe. But when you start thinking about data privacy, that's where eDiscovery suddenly plays a big role, and knowing where your data is, knowing how to get to it, that's essential.

Robert Cruz: Shaun, I think that the great examples here... I guess if you're a regulated firm the question becomes how do you reconcile GDPR with MiFID II? How do you take an industry obligation to pertain data and address the need to maintain only the data that has business purposes? So are there themes here of what are companies actually doing in order to address what appears to be a conflict between how much information is being stored?

Shaun Hurst: Yeah. The big one, MiFID II. So it's obviously primarily... My experience is around these regulations that have come in for the financial industry. We had Dodd Frank, MiFID I, MiFID II, and these regulations have just been revised every few years to incorporate the new technologies, and the vast amount of data that we're having to process.

When MiFID II came out, the big change there was around the requirement for all data to be stored. What that means is audio data, video data, and it covers quite a lot of other areas as well, even your handwritten notes when you're meeting with a client needs to be stored in a compliant manner. Then people start asking the question, okay, that's great, but as much as we can get a fine and lose a lot of reputation if we breach the MiFID II regulations, we can have just as bigger fine, and just as much of a reputational loss if we breach GDPR.

So how do we reconcile the two? GDPR is saying we need to be able to give individuals their data, we need to also be able to delete data for these individuals if they requested. How do we make that decision whether we're able to delete that information? Again, it comes down to not just storing your data forever, which a lot of companies have been doing until GDPR came out, at least here in Europe where retention periods were more of a suggestion rather than something that was mandated by compliance or legal. Now they're taking this far more seriously. The amount of risk that you're imposing on yourselves when you don't set your attention properly, when you don't identify the right data to be retained, and when you set your attention periods maybe too long or even too short, that is something that we're helping quite a lot with. For a lot of our clients it's around giving advice as much as we're able to. From a legal perspective we can't give too much advice there, but we give some guidance around how you should be looking after your data, and how you should be retaining it.

When it comes to GDPR, as I said before, there's no mandate for you to have your data get deleted if you don't ask for it, but we have to also know that if it hasn't got a real business use, then why is that data being stored in the first place? Why is it being retained for that length of time? So it's about knowing what's in there, right?

Robert Cruz: Yeah. I think that's a great point. What is the business purpose? From that, can we be confident that we as a provider are only using that client's information for that stated purpose? It seems like the need for transparency, not just internally the way the firm is managing their own IT systems, but also the expectations that you have for your third party providers. It seems like those need to be really polished up and made sure that you're in a good spot to be able to address these requirements.

Shaun Hurst: Absolutely. That was another thing that came in with GDPR is the separation, or the difference between a data controller, and a data processor. So companies like ours, we no longer can just say, "Well, it's your data. You're storing it on our platform. We have no responsibility." We, in fact, do have a responsibility as a data processor, and we take that responsibility very seriously, but so do the other companies, people like Google, and Amazon, and Microsoft that are storing your data. They have a responsibility, as a data processor, to look after data in the same way. So it's an interesting time we're in.

Robert Cruz: Yeah. Very interesting points. I think you're going to see some of these things carry forward into this next section around the laws in the U.S.

Shaun, I think that that's a great overview, and just now kind of turning the page to the U.S. state laws. I want to first kind of take a small step backwards, which is we focused on GDPR, but it's not just about GDPR. We have a lot of clients that have operations in Singapore, or Malaysia, or they need to protect information in Brazil, or retain it in Switzerland. So this complex web of data privacy regulations across the world, it just seems like we're focusing on one of, which is now many that companies are having to be concerned about. Is that fair from your point of view?

Shaun Hurst: Absolutely. It's interesting. Some of these... especially dealing with Asia Pacific, the data privacy laws out there are actually really strict. GDPR as strict as it is sometimes isn't the most strict to deal with and having to comply as a global business when we're dealing with these global companies, they’ve got so many other areas to look at than just one data privacy regulation.

Robert Cruz: Right. Clearly it's spanning into the world of cyber security protections, jurisdictional insurance. Information needs to be retained in country, so you see a fairly complex set of requirements here.

Let's talk about the U.S. We kind of highlighted California, but it's not just about California. There's a number of other existing privacy regulations that are in effect in different parts of the U.S. today. For example, Nevada, which has an opt-out provision within their privacy regulations as to how personal data can be used, and what the individual citizens have the right there to do.

But I think what's important, the note below, is that there are bills introduced now in Connecticut, Hawaii, Maryland, Massachusetts, Michigan, New York, Pennsylvania, Rhode Island, Texas, and Washington for at least what I can track as of yesterday that all have the same concepts introduced within, regarding the right of access, and the right of deletion.

So you're going to see some very interesting things happen because you're going to have that obligation to respond, and you have the need to be able to get rid of that data if a citizen believes their information is being used inappropriately. So California is just the beginning here.

I think when you look at California specifically, the CCPA implemented, or actually passed in 2017 to take effect in 2020. The urgency here goes back to the previous slides, Facebook, and Google. Their headquarters are in California, they continue to find issues with things like subcontractors coming in and listening to voice recordings from individuals that are using their services. So you can see why California has been on the forefront of this. But as far as the act itself, the way it's laid out is that it's a bit broader than GDPR in terms of its definitions, but it's applying to companies with greater than $25 million of revenue with data belonging to more than 50,000 U.S. consumers, and in some cases revenue that attributed to selling consumer data, which we won't focus on as extensively.

One important provision here is this also applies to entities that share common branding. So if you have independent agents working on behalf of your firm, these provisions also apply to those independent entities working under your umbrella. It applies similarly to GDPR, to individuals residing in California or who may be temporarily residing outside of the state. It does provide a broader definition of personal data. Shaun mentioned that GDPR is talking about data processors and data controllers. In California, it's talking about data that can be identified, or linked to an individual even by device. And even in cases where the data has been pseudo-anonymized. In other words, the identity has been stripped. That may qualify if there's a means to re-associate that person with that data.

Penalties are prescribed differently here. $2,500 per violation, $7,500 if intentional. So, the teeth aren't as big but, as Shaun mentioned, you always have the ability for the FTC or other entities to come over the top and assess their own level of penalties on top of those required in the act.

What are the rights and responsibilities? For consumers their rights are, first of all, they have the ability to request information going back a period of time, in this case 12 months. Why is that important? The law is going to be implemented in 2020. So that data request can go back to now. Again, we need to be thinking about how you would retrieve that information. It includes a data deletion upon request, as does GDPR. There is a notification required to consumers as to how data is being processed. There is an opt-out provision as far as the ability to restrict your information from being sold to third parties, and there's a minimum and maximum damage award for possible violations. Unless the actual damages exceed those limits, then you can go beyond what's specified in the law.

On the organizational side, what companies are being asked to do is number one, to update their privacy notifications to provide disclosure of what's the business purpose? How is this data being collected, and what is it being used for as part of the privacy notification? Providing users with an understanding of what their rights are to opt out of the information. And back to the provision of right of access, in the case of California, the organization must respond within 45 days in a format that is readily usable by the consumer. So another case where the timing is going to be important. Finally, it has the same right of erasure as you see within the GDPR framework.

So some slight differences from GDPR, but the same time sensitivity, the same transparency, and consent around the business purpose that the individual's data is being collected for.

Now, what's happening from here forward? As I mentioned, 2020 January 1 implementation date. The actual regulation does not take effect until July. What's going to happen between there is commentary from the consumers and from the individuals within the state. So chances are very strong that it's going to see some further revision before its actual implementation in July.

One of the questions that we get often is how do you deal with this patchwork? Clearly the technology industry and other industries are looking federal guidance and intervention in the hope of having some federal mandated privacy regulation. And then the questions become, are these going to be stronger than what the states are enacting? A variety of bills that have been put forward at the federal level—very uncertain as to whether any of these will be implemented and how it's going to affect the specific state regulation. Clearly a lot of activity is happening now. Something for your data privacy officers to definitely keeping tabs with as far as the various acts that are currently being considered.

Shaun, I think the other thing just to raise here is what should companies be thinking about to deal with this? And technology clearly can play a role whether it's the pseudo-anonymization technology, or how they're thinking about the way data is being stored. What are some of the things you see on the horizon in terms of how companies might be better able to address some of these privacy regs?

Shaun Hurst: Well, some of the things I see when we talk about forward thinking, it's just taking into consideration that privacy... a lot of companies are making the move to Office 365, and thinking about embracing some of the new technologies that are out there. Teams is a fantastic tool, but it also introduces a few risk factors. Knowing how to not only capture that information, and make sure that you're storing it in a compliant manner for your financial regulation responsibilities, but from a data privacy perspective you potentially could be communicating with people outside your company. That introduces a whole other area of risk for yourselves.

But being able to store that data and having an insight into it and being able to very quickly get into it, know what's in there, know what you should be storing, and know what maybe you shouldn't be storing and maybe it should be removed so we remove that risk. Those are the things to consider, but some of the things, if I look really a couple years forward, I actually might come even sooner than that, is around the same thing that MiFID II introduced, which was all your data is subject to these issues. So it's subject to data privacy regulations. You need to consider what are you going to do around voice; what are you going to do around these video calls. Even these webinars that we're having right now, if there was somebody else talking on here that was maybe a third party outside our company, we’d need to think about how we would maintain that person's information in a way that doesn't breach their data privacy; be able to find that information from that multimedia perspective. That's a real challenge. I think that's going to be one of the biggest challenges that a lot of companies will face the coming years.

Robert Cruz: I think that's a great point in that some people may look at this simply as a cost of doing business. The GDPR and the California data privacy discussion kind of starts and stops with, "Well, let's invest in encryption, and let's think about email." But as you mentioned, the fact that so much communication is happening in other locations now, it's really important for firms to be thinking about what are all the ways that personal information might be exchanged? And making sure they have their systems and their data under management so they can provide the response that is mandated by all of these requirements.

Shaun Hurst: Well, there was a betting shop in the UK that recently got fined by the GDPR because they had a CCTV camera pointing out at the public and they weren't allowed to. So they got fined because of that, and that's something to consider. There's a lot of... I know a lot of bigger banks obviously will have CCTV, but they're doing things like gait analysis, and they're doing facial analysis. You’ve got to think about what you're doing with those biometrics because that's subject to the same data privacy laws that we're talking about here. Just having that biometric feed sitting there, it might be ones and zeros as far as the computer is concerned, but it pertains to identity for an individual and you need to be careful about how you approach that.

Shaun Hurst: I don't want to be scaremongering, and I don't think that's where we're coming from here. There's also value in your data. That forward thinking—it’s not just about how you're going to deal with these big regulations that might come up, these new changes that will be coming up with these laws that you're mentioning, Robert, but also think about the value that you can get out of your data using the same technology that you would to manage your compliance with these data privacy regulations. It's the same technology you can use to uncover some real benefits from that data, some real analytics. Again, it's a fine line to tread because you could be breaching some regulations, but I think the rewards from that as well are quite significant.

Robert Cruz: I totally agree, and definitely an ongoing balancing act that firms need to be thinking about just getting better value and more use and leverage from this information. I think this final point really gets to, "What do your firms do? What are they doing now? What are we observing from our clients as to the actions they've been taking?" As we get to that topic let's kind of point out some of the things that we're seeing. Again, this is not advice. This is just sharing the best practices that are emerging. This is definitely a topic where your compliance office together with your privacy executives need to be thinking about how they want to tune your processes, your training, your technologies. Let's talk about some of the things we see that are common.

I'll go back to the point you just raised, which is really understanding your data not just your back office information, or your transactional information, but how were you engaging with your customer? What are the tools that are being used by your frontline staff? What can they do through those communications sources? Because each are going to be unique if you're on Slack, or Microsoft Teams, or on a mobile device how you can interact and engage with individuals is going to vary from source to source, but it's important for privacy executives as well as the compliance teams to understand all these locations where personal information might ultimately reside.

I think, Shaun, you mentioned earlier it's like updating policies. The compliance perimeter needs to expand not just to the IT control systems, but anything that's being used, anything that you've allowed for use by your employees. If you have regulated users, or just your marketing staff, or executives knowing exactly how these tools are being used and for what business purposes, having a mechanism to be able to document that, to validate that if an inquiry comes up.

Training, making sure that your employees understand CCPA. Reach back and get a read on GDPR that's gone through a year of refining to understand how training programs can be built around those things.

Talk to me about the last two because I think these are interesting areas of technology. The supervisory processes and AI, how do you see those affecting this discussion, Shaun?

Shaun Hurst: I think it's going to be essential. We've all seen the data growth over the last few years. If we consider even looking back to early 2000s, and the fact that email was the biggest tool for communication back then. You can see that reflected on this graph because the fact is we have great oversight in our email. It's all these other risk factors that a problem. For all these other risk factors and all these other channels of communication are just adding so much to the workload of the compliance teams these days.

Without AI, without these advanced surveillance tools I don't know how companies will be able to address these risks. So that's certainly going to play a very large part in these compliance solutions, surveillance solutions going forward.

Robert Cruz: Yes. Having a single location where you can aggregate all this content and then being able to apply advanced analytics to doing the slicing and dicing to uncover exposures that you may not have been aware of. So I think these are both kind of critical areas of technology investment. We are seeing, across the market, large and small firms alike.

There's one other element here, and this... for anybody that's evaluating service providers, as we talked about the obligations under GDPR or the vast majority of these privacy regulations extend to who you choose to do business with. I think, to the concept of privacy by design, understanding how they have prioritized data privacy, what you would be expecting from as certainty as to where and how your data is being stored. Is that giving you the ability to enforce policies at a regional level? Knowing that they have the ability to restrict access to your data to only authorize individuals. Maybe they're folks that are trained and expert in CCPA, others within GDPR. Having the ability to limit access to your data to only those individuals is critical.

The final point I'll make is that right of access requirement, that time-driven requirement. This is critical to make sure that your service providers have the systems, have the technology in place that allows them to respond regardless of how frequently they get these requests, how big these requests are. It's an area where you really need to make sure that your service provider has his act together to be able to deliver in that time required.

Talk to me about some of the other things that information service providers here should be delivering, Shaun.

Shaun Hurst: It goes back to my point before, privacy by design, making sure that it's right from the very start of your conceptual view of your produce. Another big one, obviously, that we see quite a lot here it's the location of your data. I know that's something that we at Smarsh are addressing, and making sure that we are able to keep your data in the jurisdiction that it needs to be. It's very important for Europe when we deal with Germany in particular. Switzerland, of course, they have some of the most strict data privacy regulations out there. But when you start looking at Asia Pacific, that's when you start noticing that they're just as strict as we are. And making sure you have a solution that not only can you get all your data from one point of view, but also make sure that that data is sitting in the jurisdiction that it should be in. That can be challenging, and a lot of vendors out there, they have quite a task in their hands to try and do that. That's something we know and that's something we are trying to address. And I think we're doing quite successfully.

Robert Cruz: I think that last point is a great one because privacy laws will change faster than a vendor's ability to build their own data center location. In other words, your ability to stay in front of this, if you're operating through your own operated data centers is going to be a more and more complex problem for firms to try to solve.

Let's leave you with some resources that would be useful if you want to look further into any of these topics. A summary of the enforcement actions which Shaun went through. The regulation itself or CCPA. A pretty handy comparison of CCPA versus GDPR. Look at some of the state laws, and how they are ultimately taking shape. And then finally, the global view via a nice little tool from DLA Piper.

Shaun Hurst: I'm on that site every day. It's fantastic.

Robert Cruz: It's a great site, and it gives you a really nice, up to date picture of where the world is on a day to day basis.

Robert Cruz: Great discussion, Shaun. I really appreciate you sharing your insights and your expertise from the last year. Meaningful for our multinational clients as well as companies that are exclusively in the U.S., now thinking about the patchwork of state laws and how they address those.

Let’s wrap it together here with just a brief overview of how Smarsh can help in some of these areas. I'm going to return back to the concepts we've talked about here: the right of access, the right to restrict processing, the right of erasure, et cetera. Just in terms of how we can help to fulfill some of those specific requirements.

The portfolio that we provide, for those of you that may not have seen the complete picture from Smarsh, technologies, in the first box, allowing you to capture the different communication that you are allowing use from your employees whether those are collaboration technologies, mobile technologies, social media, email, other communication sources in specific parts of the world. We allow the capture and support of 80 different communication networks. Important for this discussion because this personal information can reside in any of those networks. And the communications... Well, these discussions that are sensitive can be jumping across multiple networks.

The middle box, the connected archive is that once you have all of this information coming from the different communication source delivering it to our archiving technology ensures that it can be managed in a way that allows you to deal with the right of access requirements, and also respond to the processing limitations, the right of erasure, et cetera. The two technologies we provide, the professional archive for our small and medium sized clients as well as those that are more regionally oriented, as well as the centerpiece archive for the multinationals and global firms.

Finally, the applications on top. The supervision, eDiscovery, and the ability to integrate with third party application. Things like surveillance technology to be able to do that more thorough investigative work into some of these unknown risks, and areas where dark data may hide things that are of value. So one integrated platform across all these capabilities.

Right of access. One of the key things that we can enable here for both our professional enterprise products is the ability for individuals to have access only based on a permission. So this is ensuring that authorized individuals who understand GDPR and CCPA can see specific parts of your data. So it's limiting the access based on roles that you define. You can define these at a global level, you can define these on a regional level. So the ability to meet this at whatever level of granularity is required for your business is very important. And then the ability to restrict the processing that individuals can undertake within the system whether that's searching or applying legal holds, or doing review or exporting that information, all these actions are logged, and auditable. So if you have to demonstrate that you are using the information only for the explicit business purpose, you have all the facilities here to be able to do that.

The right of access also is enabled through the ability within the systems to map the identity of the individuals to their content sources. Important because you never know which of these communication networks may contain the risk. I can see Shaun and his 35 different communication tools that he uses, and I can review that communication in one pane of glass. If conversations are happening on Slack, and then they move to a mobile conversation, I can see and track all the things that are associated to Shaun.

The right to restrict processing really comes from the depth of the capture technology. So the capture technology is not just providing the ability to grab a communication and store it. It's also the ability to implement policy controls. For example, for Microsoft Teams we can actually identify where there may be sensitive information that's being exchanged on that platform. We can then intermediate, or we can mediate that conversation, provide controls that'll allow you to enforce policies prior to that information getting to your archive. So very powerful and also providing that extra layer of inspection to be able to determine where sensitive information exist that you need to take action on.

The rights to restrict processing. I think one of the key areas here are the monitoring of the communications that are happening. So if you look at some of those supervisory capabilities, you have not only the ability to escalate and assign actions to individuals based upon the rules that you have defined, but you can also do that at different levels within your organization whether that's at a regional level, whether that's at a multinational level. You can build the policies with the granularity to meet your workflow and the specific data privacy fabric that you need to be able to address across the different markets you operate within.

Data portability is important, and from our perspective we've been able to demonstrate with some of our larger clients the fact that we can allow them to be able to address some of the portability aspects as well as the right of access just on our ability to ingest information at very high speed, and be able to deliver that information in way that legacy systems weren't capable of providing. So import and export rates are important because ultimately you need to be able to satisfy the regulator inquiry. As we talked about the right of access, some very specific time requirements, and some very clear implications if you're not able to meet those.

Data privacy or data protection by default and design. Critical for us, as we talked about it, it's much more complicated to try to build on these capabilities after the fact, as opposed to designing them into the system. So the alphabet soup of industry regulations here that we meet include SSA, include SOC 2, the ISO 27001, and 2, 27017. All these things are important because they outline the data management, the data security, the data privacy controls that we have in place that have been audited by a third party. So these are going to be the key things to make sure that a vendor is able to meet the specific security requirements of any regulation that you're dealing with.

The ability to store data immutably, or if you need, a non-immutable standard to address the right of erasure. You need to provide proof that you're following the defined business processes that you set forth in your consent statements, and your privacy statements. Having the full auditing and reporting to respond with those regulatory requests is something that is part of the operation that we bring to the market.

Finally, just this global picture of regulations that become more and more complex with locality requirements, with different jurisdictional mandates, one of the key things that we're doing here for customers is the ability to deploy in virtually any region in the world. There are 66 availability zones in 21 geographic regions in AWS alone. This being one of the technology infrastructure standards that we support, what it gives us is the ability to meet the data privacy requirements of any market that you operate within. And this number and zone list will continue to grow; flexibility to leverage these standards to help firms deal with this complex web of privacy mandates they're seeing throughout the world.

With that, I think we've reserved a few minutes of time here for questions. So we would definitely like to take anything that you would like us to discuss in more detail. Let me hand it back to Davi, and let's hit some questions.

Davi Schmidt: I will start with this one: “We're moving to Office 365, how does our data in the cloud impact privacy?”

Robert Cruz: That's a great question. Shaun, you want to start with that one?

Shaun Hurst: I think it goes back to what we were talking about before when we talked about the difference between the data processer and the data controller. Just acknowledging that Office 365, or Microsoft has a responsibility as a data processor to make sure that they are compliant, and also make sure that they are following the privacy by design mentality that we have been talking up for ourselves. I think Microsoft is doing a pretty decent job of that. There are a couple gaps to consider from a data privacy perspective, but I think combining what tools and functionality you get from Office 365 with a compliant data storage supervision and compliance product like what we provide, I think you got a formidable team there. At least from my perspective.

Robert Cruz: That’s a great point. I will just add a couple of things. Number one, I would say, virtually every organization that we're working with there is some mix of Microsoft and non-Microsoft content. So the controls that you get natively through Microsoft, you just need to make sure extend to the other communications forces, whether those are mobile consent sources, other applications, slack. Having the ability to address the non-Microsoft content, you need to be careful that you're getting both the capture as well as the policy enforcement capabilities natively.

The other key point I would raise, we've said it 42 times, but just the response to the right of access. Confidence that you're going to be able to get data out natively from 365 to meet the regulatory inquiry timeline is just something to inspect, and make sure that you feel confident you're getting what you need from Microsoft alone or can complement what they provide through the assisting third party.

Davi Schmidt: “Everyone is using their mobile device at work. How can you separate what is personal versus what is business purpose?”

Robert Cruz: That's a great question. I'll take a first stab at that. For most of our clients, there still is a lot of internal discussion around corporate owned versus BYOD, and what's the best approach to either have people with multiple devices, or what we've seen tremendous amount of demand for is technology that allows you to essentially create a dual identity on that device where you can segregate the communications that are happening for business purposes from those that are personal. Clearly, from a regulated firm perspective use of your mobile device to talk to your client comes with the condition that in doing so that communication is going to be captured and stored. It's a business record.

I think we see companies addressing this both from a policy perspective, just if you are using a mobile device understand that that's something that... Talking to a client is something that there's a regulatory obligation to protect, and if you look at it from a technology point of view, having those dual identity mechanisms is now even more useful for firms as they try to segregate the business and personal sides of what people are doing.

Shaun Hurst: A key challenge I'm seeing with a German bank that I'm working with at the moment, that they're in this bit of a dilemma where they have to consider things like social media. Now, even if it isn't bring your own device, they are still having to consider when you're at work you will be using social media and it might be your own user name and log in, of course, for things like LinkedIn, Twitter, Facebook. That content, we obviously have mechanisms to control and capture when it is behind the firewall for that company in particular. And then you have the challenge where you leave work, or you pull out your mobile phone and that is a personal mobile phone, and you maybe continue a LinkedIn private conversation on your mobile phone.

I think it's a combination of the different tools that we have available to be able to comply with these things, but additionally, as much as we can monitor, and track, and capture the information that is being put through on a private device doesn't mean that we should be doing that. At least we give you the option, but I think a big part of it is going to come down to the conversations that you need to have internally with your various stakeholders. Could be compliance, could be legal. Could be HR even just making sure that you're following through on policy and procedure that best fits your jurisdiction, as well as, what's best for your employees as well.

Davi Schmidt: This is a two part question: Please reiterate the terms behind CCPA. The second part of that is will the CCPA be implemented as is, or will there be further changes?

Robert Cruz: It stands for the California Consumer Privacy Act. And that final part of the question was is it going to stay as is? I think it's generating a ton of debate. Again, a lot of the discussion really centers on the actions and things that Facebook, and Google, and other California based corporations are finding themselves in that are obviously very public. So I think you're going to see some further definition to separate businesses that have a primary business model of selling customer information from those that are not in that business. So I think that differentiation is probably going to be made a little bit clearer, but it's a six month window where it's open for public commentary. So I think you're going to see some further definition.

One thing to keep in mind, you can't wait until July 2020 because the reach-back now is in effect. If it is implemented in 2020, June 1 you could be required to retrieve information from July 1, 2019. So it's really important for firms to start thinking about how they're going to comply just based upon some of the right of access and right of erasure requirements in particular.

Davi Schmidt: Robert, did you have any final thoughts? Or Shaun?

Shaun Hurst: No. I just appreciate everyone's time for joining us today. Reach out to us if there are any further questions or any way we can maybe help you.

Davi Schmidt: Thank you for participating in this webinar. Please note that the webinar has been recorded and a link to the recording will be sent out via email. You're welcome to send any additional questions to us at advantagessmarsh.com. If you asked a question and we were not able to get to it, we'll follow up with you after this webinar to make sure all of those questions get answered. Thanks again for attending, and have a great rest of your day.