The Ongoing Challenge of Keeping Personal Data Private
Charlie Guarino: Hi everybody, this is Charlie Guarino. Welcome to another edition of TechTalk SMB. I’m very happy today to be sitting with the vice president of strategy, CTO and CISO, which is the chief information security officer, of Arcad Software, none other than Mr. Michel Mouchon. Michel, what a pleasure it is to be with you here today.
Michel Mouchon: Thanks. Thank you and welcome for everybody on that.
Charlie: Thank you, Michel. Thank you. Michel we were talking the other day about a topic that I think is somewhat a mystery to some companies and maybe even misunderstood by some companies and that is GDPR. So, I know it originally was intended for people in Europe but now it also has moved over to the United States in a different form but let’s start from the very beginning. GDPR, from what I know it stands for the General Data Protection Regulation. What can you give me from a very high level just to start our conversation with?
Michel: GDPR, the goal to just protect the data, your data, that most of the time are held by many company. Every time you answer something, every time you go somewhere you have some data that are stored somewhere by different company and the goal of GDPR is to regulate this item and to be able to protect you regarding that data.
Charlie: To regulate me as an end user, a consumer?
Michel: Exactly.
Charlie: Okay so this is not intended to protect companies. It’s intended to protect the people who the data is about.
Michel: It’s about personal data.
Charlie: Personal data.
Michel: Yeah.
Charlie: What was the origin of this? What started this requirement? Was there a certain trigger that happened that they decided that it was important to have this enforcement in place?
Michel: It start long time ago now even if it become reality so we started to talk about that I would say ten years ago already. But it was law, enforced as law in 80s and it enforced but so it is managed by—in France at least it is managed by what we call the CNIL. So it’s an organization that managed that since many, many, many years, okay? But now it’s enforced by law, so GDPR is a law. It comes probably from the fact that social media is growing. Digitalization is growing and more and more data now is stored forever, and the management of data forever is something that is new. Before the digital world, you know maybe someone recall your data. I don’t know but now you have more and more—for example, card—that are created a mechanism to follow you as a customer, and all this information are recorded now and intensively used due to the digital capabilities. It’s really a point about that, so it came from that. It came from that and the goal of the law as I said, it is really to help you take care of your data, to take back the control of your data.
Charlie: Michel you said some interesting terms that I wrote down while you were speaking, and the ones that I wrote down were social media, digital media, but the most important one that I wrote down was forever. That’s an important one because it seems that any content that we put out in the world on the web, on the internet for example, it does live forever. Even if you try to delete it, it doesn’t seem to actually go away.
Michel: In fact, there is in the law a notion of right to be forgiven.
Charlie: The right to be forgiven. What does that mean exactly?
Michel: It means you can decide that some company must forgive you so they must remove all your personal data because you don’t like to have your personal data. It’s a part of you, the data. You don’t like to have this personal data available in this company for any reason you want, most of the time to not receive spam for example, but it could be also because you know in your life, your long life, you are doing things and maybe you change your mind and you are doing other things and why now you must have all your history may be always visible by everyone to everyone or available every time. So this is your data, your life and you have to keep the control of your life. So you have the control of your life normally, but digital worlds remove a part of this control about the data, okay? So this is an important point.
Charlie: Which is interesting because you say, about your life. You know one thing you see online very often, people put jokes on line.
Michel: Yes.
Charlie: They say when I was in my 20s or even my 30s, we didn’t have people taking pictures and digital data—
Michel: Exactly. Exactly.
Charlie: So I guess I had more freedom to change my life and my history was not always available, but that doesn’t seem to be the case anymore.
Michel: No and the goal of the law—I don’t know if you know that now, more and more when you receive an email, always there is a sentence that ask you do you agree if we keep some data, etc. And so it’s a part of the law. It’s due to this law you have this information now. The fact when you receive an advertisement to have lines that you can access and unsubscribe. It’s also a part of this law, in fact.
Charlie: That’s a result of the law.
Michel: Yeah, it’s a result of the law and more and more people are taking care of that. It was under the cover, in fact.
Charlie: Under the covers.
Michel: It was under the covers. Now thanks to the law and maybe to the fact that the law make it mandatory to put this kind of information when you use data of someone, at least you are aware. You can decide you do not care, but you can decide to take care of it, okay? So it’s an important point because you are aware of that digital and produce some hidden activities, and the goal of the GDPR also is to make it visible. We are talking about transparency—for example of data, so transparency regarding the fact I will use some of your data. If you are interested in something and you go on the website and you want to be aware of any changes, etc., you can accept. You subscribe into some news, newsletter for example, and you do the work. An important thing for example—it appears as little things, but it is quite important. Now by difference when you register somewhere, you do not subscribe. You have to act to subscribe.
Charlie: Opt in.
Michel: Yeah, you have to check the box. Okay, I subscribe this newsletter. Before it was by default, before the law. Eventually they take care of that. They offer you the possibility to subscribe on it, but by default you subscribe.
Charlie: So do you think in the end that GDPR has had a beneficial effect to consumers? Who is it benefiting more, consumers or businesses? Or is it an equal win?
Michel: I guess the law is done for the customer. It’s personal data. In the frame of GDPR in Europe, professional data are not a part of the law.
Charlie: What is professional data?
Michel: Professional data could be your professional email address, for example.
Charlie: That’s not covered under the law.
Michel: That’s why, for example, sometime when you subscribe to some information on the web on a professional website, they ask you professional email. They don’t say your email—professional email because if you put your personal email in professional email, they did what they respect the law more or less, so it’s important to have that. Now regarding for me, it gives to the end user a lot of transparency in terms of the usage of the data and give back the control of the care of the data, okay? If we take the example of Facebook, there’s plenty of people that publish a lot of things on Facebook. Some care to publish some particular things and not the other. Some don’t care; sometimes you have someone that publish something on you.
Charlie: That’s right. That happens very often. They tag you.
Michel: I don’t know if you saw that, but on Facebook now there is a lot of security points and you can retrieve all your data, okay? So normally in Europe—if it was in Europe, you have the right to forgive. So you can ask them okay, I want you remove physically all the data. If we talk back now a little bit on the IT, okay? What is the impact on the IT?
Charlie: The impact on IT.
Michel: The impact on IT, it’s a huge impact. It’s a huge impact. The right to forgive can break totally the reality of integrity for database.
Charlie: The integrity of a database can be broken because of the requirement—
Michel: Because for example if you are a customer, if you buy something and after you want to be removed, if they have to keep the invoice for a certain duration—
Charlie: Sure.
Michel: So, invoice integrity is naming you, but if you want to remove all the data they have to remove the invoice as well, so they lose statistics for the sale, etc. etc. So it depends on how it is done for sure, but it has an impact on IT. It has an impact on the fact that IT must take care of this part. There is a solution of the right to be forgiven. It’s to mask the data definitively—so, replacing your name by 8666 and replacing your information by some things that is not you anymore, but keeping a part of the data. So this is a solution—for example, for the integrity. But what you have in your database at the end, you have half of your contacts that are fake.
Charlie: You’re anonymous. You’re anonymous.
Michel: Anonymous, exactly. So it could be after a problem for some other point. You see the complexity. Another point is regarding the marketing, and the eventually active marketing that would not apply if you as a user don’t want to.
Charlie: I have to jump in here because I wonder if most consumers are fully aware of all of the power that they have. I think many people don’t—they either don’t care or just don’t know.
Michel: I guess I’m not representative of all users but I guess there is some kind of people—for myself, for example—I’m taking care of that more precisely now than before, but there is people that don’t care because they just don’t care. That’s it. For them, it’s not a value. You know the goldmine today, it’s not anymore physical. The goldmine today is marketing data, so big data.
Charlie: That’s true. So, all of the data, digital data is the new high value. That’s where the high value is.
Michel: Yes, because if you want to advise people—if you want in fact when you put advertising on Facebook, you are touching thousands of thousands of thousands—
Charlie: Millions and millions and it’s-and it’s targeted. It’s targeted—
Michel: It’s targeted—
Charlie: So they know exactly who to send it to.
Michel: Because they know your comportment. They know which video you watch or not watch, etc. All these data, they keep it. So now their goal—I cannot debate on what is their goal, but their goal may be business. It’s funny because I saw one time in Facebook some t-shirts and okay, so they sell some shirts, nice t-shirt but okay, I will not buy that anyway. After that I see plenty of people with this t-shirt, in France, everywhere, plenty of t-shirts. So and I make the link so you know, it works. It works.
Charlie: That’s the algorithm.
Michel: Yeah, yeah.
Charlie: You don’t talk about the algorithm, but that’s the algorithm.
Michel: Yes, but in fact this algorithm is based on what? It’s based on your personal data.
Charlie: Right, exactly. So let’s focus more on the business side.
Michel: Yeah.
Charlie: What happens if I’m an enterprise, I’m a company and obviously there are laws to enforce, to make me delete my data if a consumer wants to have it deleted. What happens if that information gets breached, for example, or they don’t comply?
Michel: In fact it happen I would say more often than we thought. Normally in the law when you have an information system, you have the responsibility of the data that you own. So you have the responsibility and today for sure, the impacting GDPR, it’s to have a responsibility of some consequences in fact. Okay so this means what? This means you have to highly protect your data. If we get back a little bit on IT, I know that for example big savvy companies today refuse when they have some contract on your company, for example. They refuse to work on real data. It’s in the contract. We must not work on real data because down the road it could be a way to have loss of data or diffusion of data or bad usage of data that are not—
Charlie: So they want it anonymized.
Michel: They want it anonymized. So it’s an important part. GDPR doesn’t say you have to anonymize. GDPR says you have to take control of your data, and taking control of your data is what—you have a production environment in IT. When you have a production environment, you secure this production environment. It’s for your end user that managed it—for example do business with a customer and this is what raised. This must be protected, so this means production is secure with password, etc. So you cannot access to that but most of the time in IT, you are testing. You are not testing on production environment, you are testing on test environment.
Charlie: Test anonymous data.
Michel: And which data you use for testing.
Charlie: Well here’s another question for you then. Are the laws very clear, or are they very vague?
Michel: In some points it’s simple and clear in the fact that you have to protect the data.
Charlie: Right.
Michel: It’s not clear in the fact how you can do it or prove it is done, or at which point it will be fully done.
Charlie: Okay.
Michel: So it’s where effectively we saw that you can anonymize for example, how when you anonymize, how you will be sure, how you can certify that the anonymization is well done? It’s complex. Where do you find your data in your database? There is another point that is important, when they say you must be sure that you have anonymized your data, what is exactly anonymization? You know it’s not just remove the name. We can take an example. You go to the hospital. You have a rare disease.
Charlie: I go to a doctor.
Michel: To a doctor, to a hospital.
Charlie: Hospital, right.
Michel: You have a rare disease.
Charlie: Sure. A rare disease. Okay.
Michel: Yeah. If they anonymize your name, you can be sure that plenty of people even if they don’t see your name or your phone number, they will know it’s you, because you are unique.
Charlie: That’s true.
Michel: I take a very simple example, but sometimes it is more complex. You can have a conjunction of information that are not personal data in your point of view—so some technical information about the way you walk, the installation you have at your home, etc.—and all of that can make people can retrieve who you are.
Charlie: Let’s go into some of the actual components of the law. I know one of them for example, we said like record keeping is an important component of this and transparency, we talked about that. But what about things like cybersecurity? You know that’s a big topic within GDPR, right?
Michel: GDPR is a part of cybersecurity. When I said you have production data, you have to protect it. If there is a breach that give access to your data, they will sell your data on the dark web for example. In GDPR point of view, you did not do the job, okay? Your data was stolen and they are reselled. You know there is some component—I don’t know if you know the PCIs or—
Charlie: PCI for credit cards.
Michel: Credit card compliance, or it’s a part of that. The goal of that is to protect if the files are stolen—
Charlie: Correct.
Michel: To protect you. So it’s a particular eventual point of GDPR, but it is something that was taken seriously by banks and become a global regulation but—
Charlie: Who is impacted by GDPR? Is it large corporations or even the smallest of companies? Are they still affected, or do they have the same regulations? Are people watching them as closely?
Michel: GDPR is about personal data. So if you do B2B, normally you are not too much impacted. You are not managing personal data, you are doing B2B, so you are managing business data. So we for example—something between your company and my company, I will record your professional email address. I will record your name for sure, but as the manager of this company for example, that’s not considered as personal data, okay? I cannot use it. I can more or less bother you as a professional during your professional time because you check your email as you are at the office as a professional but—
Charlie: I know as a professional, my name and my email is public information, basically.
Michel: Yeah.
Charlie: Most people are.
Michel: Yeah. For GDPR is really personal data, so it is oriented on B2C.
Charlie: B2C, and that doesn’t matter how big or small. If I’m a sole proprietor, I’m running my own company.
Michel: Even if you are just a hair cutter, even if you put a name on just a sheet of paper and you have the phone number, this must be protected.
Charlie: That’s under GDPR.
Michel: Yeah.
Charlie: Wow. Okay. So are companies in favor of this, I mean based on what you’re hearing? Is there a lot of pushback from—well and now the law has been in place for several years, but was there a lot of pushback?
Michel: There was already fine.
Charlie: Fines?
Michel: Yeah, yeah. Big fines on different company due to that, yes, because it was enforced in ’18. I would say the pandemic slowed down a little bit the controls, but there is more and more control on that point to ensure so it’s really—it’s a big fine, big fine. So it’s more oriented on big companies that doesn’t play the game so yeah, it’s an opportunity I would say for IT because again, it’s something to take care. It’s regulation. So you know regulation are changing every time, and it’s one more regulation I would say but to protect yourself.
Charlie: And I know as the chief information security officer, I know there is continuing education required because the laws are changing and technology continues to change.
Michel: Hackers’ capabilities are changing everyday—
Charlie: Right.
Michel: So yes, we have effectively regular training on that, so it’s a permanent learning curve. It’s why, for example, for security in Arcad—if I talk in Arcad, we probably take some more service on that because it’s something that is very complex to handle. GDPR is two sides. GDPR is law and GDPR is technique, so we have a lot of lawyers specializing in just that and service techniques, so tools that help to manage the problem.
Charlie: And these lawyers were not even in effect ten years ago because the law was not in effect?
Michel: Yeah, it was an initiative of the NCIL, the French NCIL in fact, to be the GDPR after it become European, and yes it’s a huge point because in terms of law. Every time there is a new regulation, there is people to advise on you.
Charlie: So GDPR is obviously Europe, but there are laws that are now in the US, of course. There’s the California law.
Michel: And also, in Asia. We see for example in Singapore, they have their own GDPR now.
Charlie: And you’re not surprised by this?
Michel: No, no. We are not surprised because you know, the digital world is worldwide—
Charlie: Right.
Michel: And so the problem, not Europe only—so I know that when Europe intend to do that, there was question about a big company like Facebook, to name it. So do we can still provide this service to Europe?
Charlie: Right. Even though we’re-US based, we’re still affected—
Michel: Yeah, yeah, in fact—
Charlie: So many companies are affected by GDPR whether they—
Michel: You know it’s protection. So if it is protection by law, more or less if you open a service to a country—even if it is digital world, you are impacted.
Charlie: Right.
Michel: Maybe as the regulation, we make these services not accessible, but I guess I don’t know but if you see the change since in some years even in Facebook, if you see the last advertising campaign, there is a company in France. I don’t know if it is worldwide and this campaign show a girl that enter a room where they are selling her data—
Charlie: This is an advertisement?
Michel: Yes, they are selling her data and she takes his iPhone and she activates the security, and it disappear. So you know so there is a big base of advertisement campaign on tools. That use this argument because they are ready to work with us so yes, it’s a hot subject.
Charlie: Going forward, I guess though if it’s a worldwide regulation under different names, but what do you see worldwide? What do you see coming maybe in the next several years? Are the laws going to get more difficult to comply, or tighter regulations? What are your thoughts on that?
Michel: I guess the law was put in place today, I’m not sure there is a lot of companies that are really compliant in fact with the law. So there will be an increase of controls, an increase of application of the law. But as we said before, there is a clear definition of what we need to have, but not a really clear definition of how to obtain it or how to control it. Probably there will be some evolution on that.
Charlie: And more enforcement.
Michel: And maybe more enforcement or precision in the enforcement, yeah.
Charlie: Right. Right.
Michel: But you know it’s good for us. It’s good for protecting the data, your own data—
Charlie: As a consumer.
Michel: As a consumer to make your life—you can be free to do something and change your mind.
Charlie: So, final thoughts: As a consumer, it seems that I have more power that I might not be aware of.
Michel: Yes.
Charlie: So maybe the big takeaway here is we should all learn about what the law actually covers to really understand the power that we have to control our lives, because digital data can ruin reputations.
Michel: Exactly. Yeah. It was a case. You have this TV show where there is a singer. There was singer so you vote for her, for example. There was one in France, she published five years ago a strange message and it totally ruined—
Charlie: Ruined her career.
Michel: Yeah. She cannot go for one. She was excluded.
Charlie: Wow. That’s the power of information.
Michel: Yeah, and she was maybe not even okay with what she said five years ago. She was young. She was 12, okay?
Charlie: Right.
Michel: Okay and do you agree today of everything you said since 25 years? Maybe not.
Charlie: No. Of course not. People change all the time.
Michel: And so if someone take one piece of that, because you know, if you have the right to give your opinion, it’s okay. But if you don’t have this right—because it just takes a piece of information and they publish that and publish and publish and publish, you cannot answer to everything.
Charlie: So I think—in the end, it sounds like this is really a good thing.
Michel: It's really a good thing.
Charlie: Yeah. It's a good thing—in the end. As long as we understand what we have as consumers, the power that we have.
Michel: You have the power. I don't know if you see, every time you go into a search in Google now, you have a validation of your data. Sometimes it could appear a little bit boring because you have to validate every time stuff. But you know it’s—
Charlie: With good reason.
Michel: It’s maybe there is a price to pay—every time, take care of that, take care of that. Maybe it’s too much. So it will be where we probably we’ll have to find the right middle on the right position on that. But I guess yes, for me it’s really positive.
Charlie: It will continue to evolve is what I’m getting from this.
Michel: Yeah, yeah, yeah.
Charlie: Michel, this is a fascinating topic. It really is and even in the short time we’ve been talking about this, you’ve educated me. I wasn’t aware of some of these things, so thank you very much.
Michel: You are welcome.
Charlie: I think this is a topic that people need to learn more about certainly—as I said, and share this information with others so they also know. It’s an important topic, definitely an important topic.
Michel: Yeah.
Charlie: Thank you very much. This has been a real treat. Thank you, Michel. To everybody who is listening to this podcast, be sure to check out TechChannel’s other resources on their website. There are lots of other great things, podcasts and articles, things like that for you to take a look at. And with that, I will talk to you next month. Take care, everybody. Bye now.