(techy music playing) >> Hi, I'm Peter Burris and once again, welcome to theCUBE. We're broadcasting today in this wonderful CUBE Conversation from our Palo Alto Studios and we're really lucky. We've got a really interesting topic. We're going to be meeting with Manmeet Singh, who's the founder and CEO of Dataguise. Manmeet, welcome to theCUBE. >> Thank you, thanks for having me. >> So, Manmeet, we're going to talk a lot, we're going to talk today about the whole concept of data privacy and how to improve the tooling fort, but first tell us a little bit about yourself and Dataguise. >> Well, I founded Dataguise in 2008, '09 timeframe. We have been around for about nine years. We have raised money at different levels, but today what we decided, people call it GDPR. We had defined it earlier, today people call it PII, PCI, so all that things, the compliance issues are coming. That's what we have been defining and doing. >> So, the whole concept of, as I mentioned, data privacy is extremely important. There's, as you said, GDPR, new regulatory pressures, new ethical pressures, business corp pressures, but increasingly also new consumer and customer pressures. >> Manmeet: Yeah. >> To force businesses or to encourage businesses, let's put it a little bit more nicely, to be more clear about what information they're gathering about the customers they're doing business with and how they're using that information. But the tooling to do that is all over the map and it's, that's one of the first excuses that businesses use is, "Well, that'd be too hard." Well, what can be done to dramatically simplify the process of identifying what is and what is not private data from a customer standpoint. >> This is, you pretty much put everything in a small nutshell for the whole problem which existing. What businesses are saying, they cannot solve the problem is no longer true. There are companies like us and there are many other companies who are in the similar frame, which are doing something else than what we do, but our company has been looking at these problems for a long time, and data, which they are collecting, they're not telling people what they have and they just don't want to. These laws and compliance issues with teeth, which are coming out today, are forcing them to tell people what they have about them, tell people if they want to use them in the right way or not. So, people are getting more control of the data. Earlier the businesses had control of the data, and this is what these laws are supposed to do and I think they are doing the right thing. >> Well, there's this notion of information asymmetry, which is a very powerful concept, and basically a situation that is informationally asymmetric exists when the buyer or the seller has a superior understanding of the information associated with the transaction and therefore is able to get a better deal or more value out of the transaction. >> Manmeet: Correct. >> In many respects what we're talking about is circumstance when customers or consumers don't know what value a business is extracting from that transaction independent of that specific knowledge or information that they provided to them, and they're trying to claw that back to assure the right level of trust, the right level of derivative activity, things that in fact are in concert with good business practices, have I got that right? >> Absolutely, absolutely, once you give the data to the customer by taking a loan from a bank or just buying a car or something you don't know where that information is being used. They get all the information from you. They get your social security number. They get your income, they get your number of dependents you have. They even get your sexual orientation on top of it. Now, do you want the bank to know all that about you if you're not doing business with them? Do you want these other agencies like social networks to know all that about you and share that information freely No you don't, how do you get that control? And that is the biggest problem which we are facing today, because these businesses don't want customers to know that and they were kind of keeping that information and extracting a large amount of value and targeting you guys because they know who are the high net worth people. So, they were distributing that data in many ways. These are my top two percent customers, these are my top 30 percent. Okay, I'll protect this data but I'll extract most value out of it. Oh, and these are people who make so little income they are not that useful as a customer but they are still useful as a data because I can make a generic campaign, so there they keep them in the lower grade level. So, those things they should tell customers. They should tell what they are extracting. So, those things were not happening and that's why if you look in Europe there's GDPR law, which just came out, and I think similar legislation will come in the US. Sooner or later it has to come in because customers are becoming very aware of this whole problem today and the data loss, which is happening on a regular basis. >> Well, GDPR provides for two types of things that a business must do. It must provide insight into the data that it's captured about a business or an individual, a legal entity, and it must also then provide the processes for remediating or taking action against that data according to whatever the customer's mooches are. >> Manmeet: Absolutely right. >> Tell us a little bit about that. >> So, these are two important features because of GDPR. First thing, GDPR has 99 articles and 173 articles and 99, like, term and technological ways. There are other ways, legal ways to do it, but technologically what they want, like if Peter decides that I need to know from this bank or this social media company how much information do you have about me and what are you doing with it, they have to provide that information is 30 days. That is called right to access, and the second thing is you can come and say, "Well, I'm not using "these five things which you sold me earlier. "I don't want you to use that information, "not even have information on that for me "or my son or my kid," so you can tell them delete that information or mask that, and this is-- >> And that's called the right to... >> Right to erasure, right to remove the data, and these two things are very important. This gives customers, they make customer the king. They make the individual the king. He can say, "Tell me what you have on me "and delete what you have on me." >> Now, the laws have been in the books, at least in the EU, for GDPR for a while, but the fines start getting leveled in May. >> Manmeet: May 25th. >> Now, we've heard that there's a lot of businesses, large and small, that are having a problem and they're asking for more time because it's so difficult. Your argument is no, it doesn't have to be difficult, they is tooling to do this. >> Manmeet: Correct. >> Talk a little bit about some of the data, some of the Dataguise toolkit and how it solved this problem so that someone actually can come into compliance, for example to GDPR. >> Correct, so what we have been doing for nine years is searching the sensitive data across an enterprise in different platforms they have. It could be databases, unstructured data, or file systems. Whatever way they are collecting data, our tools, our products can go search for that sensitive data. That's the basic minimum which you have to do for any company. Search across all the platform, all the data platform you have. The sensitive data for individuals or the sensitive data in any ways. Once you have that, then you need remediation on that, which could be either masking, redaction, or encryption. We provide all that on the premise product also, and then you need monitoring of that data, so we provide monitoring on that also and you have to give a breach detection, or you have to have a breach detection or if there is a breach of the data you have to notify the people in less than 72 hours. We can do that because we can find your breaches in real time and tell you what is in there. So, our product is fully connected from finding the sensitive data to masking the remediation or encrypting or redacting, and then monitoring that data. So, this is the on premise thing. What we announced recently when our Amazon show, which happened like two weeks back, was our product is now available as a SAAS product on all three clouds, Amazon, Google, and Azure, and if the company is born in a cloud company and they have all the data on the cloud they can do it over there. They don't have to install our product. They just subscribe to our product and they can do it. They can pay the monthly rent of our product and just use it, or they can open up a path, if it's a small company we tell them all to implement the product, they don't have resources-- >> You implement it on site. >> Implement it on site, yes, they can take our SAAS product, open a little hole on the VPN and find everything on the databases or the file systems they have and we can help do all those things which are required from GDPR. >> So, that notion, privacy compliance as a managed service. >> Manmeet: Correct, privacy compliance as a managed service, that's a good one, yes. >> So, the bottom line is if I'm a large company I don't have an excuse anymore, I can now-- >> No, you don't. >> So, you've created, and you've been around for nine years, so this is not some fly by night thing. >> No, no, no, we have been around, yes. >> You've been doing this for a while. So, I can install the tool, I can run through my sensitive information, I can start grabbing and creating metadata regarding... It's really not creating a general purpose catalog, it's creating specifically metadata and a catalog, if you will, of privacy related information. >> Manmeet: Information, correct. >> So, a large company can do that and then a customer now can be given visibility into from a right of access standpoint, and be given options about what it does and your tool will then also take action against the datas-- >> Correct. >> To be in compliance. >> So, just not do it, some large companies are already doing it. >> Peter: Mm-hmm. >> Some of my early customers have been with me for four to five years. They have been using my product. They are the largest of the large financial institution, largest of the large healthcare institution, social media companies, companies who are available selling and buying products. They have been using my product. There are companies who are using it and are successfully using it and they have been cataloging it and masking it and figuring it out, but now they have to make it available to the customer, so for them it's only one step process. Companies who have not started doing anything on it or have not thought about it, they can start using our product. They can start looking into it, they can start implementing it, or if they don't have that much resources to implement they can buy our SAAS product, which is available, which can link to their systems and give them privacy and compliance over there. >> All right, so time to value's a big issue in everything. Give us a sense of if they made a decision tomorrow, at what point in time are they actually going to be in a position to satisfy, at least in the GDPR sense, right to access, right to erasure laws. >> That's a good question because it totally depends upon how much data they have. See, there is a physics law on that one. You cannot scan petabytes of data in three days, but if you have only terabytes of data we can get it done in, like, day's time or week's time, but if you have petabytes of data you have to be doing it, like, six months earlier. You see in January some companies have not even started doing it. They should do it now because GDPR will not come fine you right away. They will say if you have a process in place they're going to give you some time. So, you need to start, like, right now. May 25th is just right away. This is not like a Y2K problem which will go away. This is a problem which is going to keep growing, keep growing, keep growing, because the data's going to keep grow. >> Mm-hmm. >> And the compliance is going to keep coming after you again and again. >> Right. >> It's not something which after May 30th is going to become, like, less effective. It's going to become more effective because they are going to fine people, they're going to bring... I'm pretty sure some European companies are going to get fined. They are definitely, once they get fined people are going to realize that this is not, this is with teeth, so they will have to do something about it. >> Yeah, and we have a chief privacy officer client that has told us that, for example, if one of the big breaches that occurred last year, US financial services company, that had it happened under the GDPR laws after the fines were put in place it would've cost that company 160 billion dollars in fines. >> Manmeet: Right. >> Would've put them out of business. >> Would put them out of business. >> So, the bottom line is if we're looking at this is there... It's not such an onerous process that a company that started now could in fact demonstrate that they're making, you know, a really good faith effort to try to come into compliance with this, but it's not just GDPR, and it's although maybe catalyzed by regulation, but increasingly this notion of information asymmetry is going to become more obvious. They may not call it that, but more obvious to consumers and businesses as well, and the whole notion of the amount of trust you should put in a brand is going to become an attribute of the decision about who you work with. How do you envision that tooling like this is going to become a part or a significant feature of a company's brand being able to demonstrate the capacity or the capabilities for doing this? >> I think this will become a selling point. Compliance is one way of doing it because then you are just tick marking for the law, but the second is the customer is becoming so aware today. The customer's going to say, "Okay, how do you "protect my data, what all do you have, "what kind of tools or products you are using "to protect my data, to monitor my data. "Otherwise I will not take loan from you "because I have 20 options to take loan from. "I'll go to that bank, which is providing better compliance and better security for my "name and my data and my information," So, similarly you're not going to buy from one company to another company depending upon what all they collect on you, what all they use it for. You're going to question that, so the awareness which all these breaches and all these social media hacks, which all happened in last, like, six months, nine months, and a year, you have seen are creating a social awareness among people. People are talking about it, if you go to social tools people are talking about it. You go to business tool people are talking about it. On your Whatsapp you're receiving so many things where people are talking about it. "Hey, my data's important to me, don't share it." So, those things have become, earlier it was like, "Hey, my data, who cares "about it," but now it's all changed. My credit card number is important, my name is important, my social security, those things are so important that the customer is going to demand that of the companies. So, companies have to invest a lot of money on that, and they should have been doing it til now, but now they will be forced to do it. It's not just a compliance, I think they all have to come together. Compliance had come at a time when these breaches are happening, so the awareness is there and the compliance is there and the issues are there, so these things will make it happen. >> So, I'm going to give you two other examples. One is, or two other questions related to this, one is from personal experience I know that a lot of companies don't realize that certain systems are in fact a part and parcel of the service path that they have to customers, and when, for example, Ransomware occurs or when they get hacked and people start grabbing information that they find out that information was grabbed out of a system and they don't associate with personal data. Are you going to, is your tool going to be able to elevate that conversation so you in fact do know everything that has personal information in it and you can bring new security, new other types of practices to bear on it? >> So, older securities which have been existing... Actually, let me put this question in a good way. What you did, it's a very great question. Older security tools have been existing. They have been a fence around the whole system. They protect Ransomware, they prevent people from coming in, going out, but still the breaches happen. First thing is breaches will happen, no matter what. They're going to figure out a better way to get into your systems. Now they've gotten into the systems. The companies have been existing for years and they don't even know how many databases or how many file systems they have, forget about data. They don't even know how many databases. There was a company, I can take an example, they said, "Oh, we have only 18 databases." I go, "Well, let me find out." We ran our tool over there, we discovered 735 databases. The reason was they had employees who came in, created data, downloaded data from the production system and that was not secure. Then we found social security numbers, email addresses, and people's salary in those 720... Do you even know that you have 720 databases? They were like, "I knew only 15 of them," and all of a sudden they bought my product because now those 715 have to come in compliance because they did not know about it. They have to do something about it. So, there are tools which our company provides which can do those things. These are large banks I am talking about. These are not like Harisho, which are, like, small companies which are, like, five million revenue. These are like billions of revenue companies and they have databases. They have file systems in the range of 1,000 to 10,000 file systems. They don't even know what they have in there. >> Peter: Right. >> We can scan them all but it'll take time. >> See, I think that's an important thing. Now, the second thing I wanted to say is GDPR does have right to access and right to erasure-- >> Manmeet: Yes. >> But it also attempts, at least, most regulations are likely to do this, to make it possible for a company to make reasonable use of data once it's been anonymized. So, for analytics, to improve products, to improve the quality of service. Do you get in the way of that, does that-- >> No, we actually make that way very effective. What we do is Peter comes in and says, "Remove my name and social security number "and my address from everywhere." We can anonymize that data, we can mask it but still keep the statistical analysis of the data in the same way. >> Peter: Interesting. >> So, Peter will become James with different social security number, which has no compliance issues because the data of Peter is gone. It'll still tell you that this person stays in this city, who bought this much on MasterCard and this much on Visa card and had that kind of income. >> Right. >> But it won't be related to the PII, PCI, or even GDPR, so it'll be compliant but it'll still give you a statistical analysis. This is what they should have been doing. This was a smart practice, this was a good practice which we have been advocating for nine years to large companies, but the good thing is now the GDPR and the compliance issues have come in, so they have to do it by force. They're going to but my product more and they have to use it. >> Right, so the bottom line is you've been out there for a while, the market's coming to you. >> Manmeet: Yes, that is happening now. >> All right, Manmeet Singh, CEO, founder of Dataguise. >> Yes. >> Great conversation about how to establish tooling to improve visibility into privacy data for regulatory trust and other issues. >> Thank you very much. >> Thanks for being on theCUBE. >> Thanks for having us, thank you. >> Once again, I'm Peter Burris, you've been listening to a CUBE Conversation from our Palo Alto Studios. Thanks very much for being here. >> Manmeet: Thank you. (techy music playing)