(electronic music) >> Announcer: Live from Las Vegas, it's theCUBE, covering NetApp Insight 2018. Brought to you by NetApp. >> Welcome back to theCUBE's continuing coverage of NetApp Insight 2018. We are in Mandalay Bay in Las Vegas, I'm Lisa Martin, with Stu Miniman. And we have a couple of guests joining us now from the A-Team, cue the music rights too. We've got Phoebe Goh, Cloud architect from NetApp, and we've got Paul Stringfellow, one of our CUBE alumni, technical director of Gardner Systems, one of NetApp's partners. Guys thanks so much for stopping by theCUBE. >> You're welcome. >> In your matching outfits! >> Thank you for having us. >> So first of all, this morning, before the general session started, I saw both of you on camera talking a little bit about the A-Team. For our audience who might not be familiar with that, I know it's been around for five years. Phoebe, talk to us a little bit about the A-Team, who composes it, obviously we've got a channel partner, it's not just NetAppians, but give our viewers a little bit of an overview of the A-Team. >> NetApp really appreciates our advocates from channel partners and also from our customers. We really love hearing from them, and we also love giving them back information about what we do, and where we're going with our vision and our strategy. So, we have channel partners on the A-Team as well as customers, and technical advisors from NetApp, such as myself, and we get together every now and then at events like Insight, and we also bring them to Sunnyvale where they are given some information about what's coming up with our strategy. >> And this is a small group of about maybe 30 people. Paul how long have you been part of the A-Team, and what has that, what you have learned from some of the other folks that are on that team? >> It's a great question, I've been a part of the team for three years, and it's kind of a symbiotic relationship almost in that it kind of works both ways. I think there's lots of value for NetApp in the partnership, in that they get to hear kind of from channel partners on the street, about what people actually think of their technology. It also works in that we get to see quite a lot of pre-release information, and it gives us the opportunity to feed back to NetApp directly from the things that we see out in the channel about what customers actually want, and then we can feed that back into NetApp, and we've seen over kind of the five years of the team, we've seen product strategies change, we've seen new products come to market, because of that direct feedback. And then from our side, when we talk to our customers, there's real value in being able to say that we've got that direct relationship with NetApp, we've got that access to their executives, and access to their research team. It works really well both ways for us. >> In the keynote this morning, we heard George Kurian talk about digital transformation, and one of those pieces is that hybrid multi cloud is the defacto IT architecture, Paul I would love to get your feedback as a channel partner, what this kind of hybrid multi cloud means to your customers, means to your business. >> So I think the idea of hybrid I think, it's different for a lot of people, so in lots of cases, hybrid for some organizations may be that their entire data center remains on prem within their own walls, however they might be using a software service, an Office 365, they may be using a Dropbox, and I don't think kind of the definition that George was talking about this morning when he talked about hybrid cloud. My little take on what George talked about as well with hybrid cloud , I think he's understanding that it exists, understand that public cloud is a thing, that the Azures, that the AWSs, the Googles, play a part in a way that some organizations are working. That's not necessarily the way your organization wants to work, so understanding that it's there, designing an architecture that recognizes that, and makes sure that if you ever want to use those kind of services in the future, that you'll be able to do so, but it's equally valid to say, actually, public cloud isn't for us. As long as you make that as a decision, and don't just fall into it because you've not really thought about it, that's a perfectly valid strategy. >> I really agree with what you were saying. So often when we talk about hybrid and multi-cloud, we're talking about infrastructure. >> Paul: Yep. >> And there's more than just infrastructure, a thing that I've been saying for a few years, let's follow the applications, and even more importantly, let's follow the data. I love we get some international viewpoints here because sometimes North America, it's like oh let's talk only about public cloud and seems to be kind of a monolithic thing. Phoebe, I would love to get your viewpoint, what are you hearing from customers when they talk about cloud, what does that mean for them, and how's NetApp and NetApp's channel partners helping them sort through this new future? >> Definitely, our customers and our channel partners are talking a lot about cloud, creating, adding agility to their business, allowing them to move faster, and to be more flexible, and what NetApp is looking to do is really enable that and speed that up for, no matter where you are in the globe, whether you're in Australia, or in America, or in Europe, that you can achieve those business outcomes that you really want, and we know that the cloud is going to help us get there, so we really want to help them use the data the best ways, and use the technology that makes sense for the business to be able to get to public cloud. >> How are you hearing, a lot of the messaging coming out, NetApp is data driven, it's the data authority, lot of transformation that NetApp's undergone in its 26 year history, I'd love to get your both of your perspectives before we wrap here about how are customers embracing that as looking to NetApp and its ecosystem partners to help them embrace this hybrid multi-cloud environment in which they live, and look at NetApp as part of their core cloud strategy, rather than data management storage? >> I'm actually really excited about this because I love collaborating and talking our customers and our partners, and what I find is that they're coming to us and saying, "Wow, we didn't know you guys did that, and "you're not even, you're not selling us something, you're "really helping us get there." We're having a conversation about how we can really get there, get to their business outcomes, rather than trying to push a product, where I find that we get to have really collaborative conversations, Paul? >> Actually, I couldn't agree more, I think that what data fabric, what this kind of hybrid cloud model means to our customers, is it opens up a much wider conversation. We're not having a conversation about storage, we're not talking to a partner saying, would you like to buy some NetApp, as a customer, because that can be, that's a yes no, I use something else, I'm not interested in NetApp or I'd love to buy some NetApp. Actually, if we can have a data conversation that talks about how do you want to use this, what are the business outcomes that you'd like to achieve, what is it you are trying to do as a business, let's help data be part of that transformation. >> Guys, thanks so much for stopping by having a quick convo, especially Phoebe since you've been in Vegas for four days already, and your voice is hanging on by a thread. Paul, Phoebe, thanks so much for your time. >> Thank you. >> You're welcome, pleasure, thank you. >> We want to thank you for watching theCUBE, from Las Vegas NetApp Insight 2018, I'm Lisa Martin with Stu Miniman, Stu and I will be right back with our next guest after a short break. (electronic music)

>> Announcer: Live from Berlin, Germany, it's theCUBE, covering NetApp Insight 2017. Brought to you by NetApp. (upbeat music) >> Welcome back to theCUBE's live coverage of NetApp Insight 2017, here in Berlin, Germany. I'm your host, Rebecca Knight, along with my co-host, Peter Burris. We are joined by Shelia Fitzpatrick, she is the Chief Privacy Officer of NetApp, and Paul Stringfellow who is a Technical Director at Gardner Systems. Shelia, Paul, thanks so much for joining us. >> Thank you. >> Thank you for inviting us. >> So, I want to talk about data privacy. The general data protection regulation, the EU's forthcoming laws, GDPR, are going to take effect in May of next year. They represent a huge fundamental change about the way that companies use data. Can you just set the scene for our viewers and explain what these changes mean? >> Sure, happy to. As you said, GDPR is the newest regulation, it will replace the current EU directive, goes into effect May 25th of 2018. It has some fundamental changes that are massively different than any other data privacy laws you've ever seen. First and foremost, it is a legal, compliance and business issue as opposed to a technology issue. It's also the first extra-territorial regulation, meaning, it will apply to any organization anywhere in the world, regardless of whether or not they have a presence in Europe. But if they provide goods and services to an EU resident, or they have a website that EU residents would go to to enter data, they are going to have to comply with GDPR, and that is a massive change for companies. Not to mention the sanctions, the sanctions can be equal to 20 million Euro or 4% of a company's annual global turnover, pretty phenomenal sanctions. There are a lot of fundamental changes, but those are probably the biggest right there. >> What are some of the biggest challenges that companies are... I mean, you talked about the threat of sanctions and just the massive implications of what companies need to do to prepare? >> To really prepare, as I'm talking to customers, they really need, unfortunately a lot of companies are just thinking about security. And they're thinking, well as long as we have encryption, as long as we have tokenization, as long as we're locking down that data, we're going to be okay. I'm saying, no. It first and foremost starts with building that legal compliance program. What does your data privacy program look like? What personal data are you collecting? Why are you collecting it? Do you have the legal right to collect it? Part of GDPR requires unambiguous, explicit, freely-given consent. Companies can no longer force or imply consent. A lot of times when you go on to websites the terms and conditions are so impossible to understand that people just tick the box (laughs). Well, under GDPR, that will no longer be valid because it has to be very transparent, very easily understandable, very readable. And people have to know what organizations are doing with their data. And it puts ownership and more control of data back into the hands of the data subject, as opposed to the organizations that are collecting data. SO those are some of the fundamental changes. For the Cloud environment, for instance, for a lot of big hyperscalers, GDPR now puts obligations on data processors which is very different from the current regulation. SO that's going to be a fundamental change of business for a lot of organizations. >> Now, is it just customers or is it customers and employees as well? >> It's customers, employees, suppliers, it's any personal data that an organization collects, regardless of the relationship. >> SO what does it mean? Does it mean that I'm renting your data? Does it mean that I, 'cause you now own it, it's not me owning it. >> I own it, that's right. >> What are some of the implications of how folks are going to monetize some of these resources? >> SO what it actually means is, as an organization that's collecting data, you have to have a legal and valid business reason for needing that data. SO part of GDPR requires what's called, data minimization. You should only be collecting the minimal amount of data you need in order to provide the service you're going to provide, or manage the relationship you're going to manage. And you are never, as an organization, the owner of that data, you're the data steward. I am giving you permission to use my data for a very specific reason. You can't take liberties with that data. You can't do, what I call, scope-creep which is, once you have the data, "Oh, I can do whatever I want "with that data," no you can't. Unless I have consented to it, you cannot use that data. And so, that is going to be a major change for organizations to deal with and it doesn't matter if it's your employee data, your customer data, your partner data, your alternative worker data, your supplier data. Whose ever data you have, you better be transparent about that data. >> Shelia, you haven't once mentioned technology. Paul, what does this mean from a technology perspective? >> I suppose it's my job to mention technology? >> As Shelia will tell you, the GDPR, it should not be driven by IT. Because it's not an IT problem, it's absolutely a legal and compliance issue. However, I think there's a technology problem in there. So for lots of things that Shelia is talking about, in terms of understanding your data, in terms of being able to find data, being able to remove data when you no longer need to use it, that's absolutely a technology problem. And I think, actually, maybe something you won't hear said very often, I'm a real fan of GDPR, I think a it's long overdue it's probably because Shelia's been beating me round the head for the last 12 months >> I have. >> about it. But, I think it's one of those things that's long overdue to all of us within enterprises, within business, who hold and look after data. Because what we've done, traditionally, is that we just collected tons and tons of data and we bought storage 'cause storage could be relatively cheap, we're moving things to the Cloud. And, we've got absolutely no control, no management, no understanding of what the data is, where it is, who has access to it? Does anybody even access it, I'm paying for it, does anybody even use it? And I think what this is, for me, if GDPR wasn't a regulatory thing that we had to do, I think it's a set of really good practices that, as organizations, we should be looking to follow anyway. And technology plays a small part in that, it will enable organizations to understand the data better, it will enable those organizations to be able to find information as and when they need it. When somebody makes a subject access request, how are you going to find that data without appropriate technology? And I think, first and foremost, it's something that is forcing organizations to look at the way they culturally look after data within their business. This is no longer about, "Let me just keep things forever and I won't worry about it." This is a cultural shift that says data is actually an asset in your business. And as Shelia actually mentioned before, and something I'll pinch in future, the data is not mine, I'm just the custodian of that data while you allow me to be so. So I should treat that like anything else I'm looking after on your behalf. SO I think it's those kind of fundamental shifts that will drive technology adoption, no doubt, to allow you to do that, but actually, it's much more of a cultural shift in the way that we think of data and the way that we manage data in our businesses. >> Well you're talking about it as this regulation that is long overdue, and it will cause this cultural shift. So what will be different in the way that companies do business and the way that they treat their customer data, and their customer's privacy? And their employee's privacy, too, as you pointed out? >> Well, and part of the difference is going to be that need for transparency. So companies are going to have to be very upfront about what they're doing with the data, as Paul said. You know, why are they collecting that data, and they need to think differently about the need for data. Instead of collecting massive amounts of data that you really don't need, they need to take a step back and say, "This is the type of relationship "I'm trying to manage." Whether it's an employment relationship, whether it's a customer relationship, whether it's a partner relationship. What is the minimum amount of information I need in order to manage that relationship? So if I have an employee, for instance, I don't need to know what my employee does on their day off. Maybe that's a nice thing to know because I think well, maybe we can offer them a membership to a gym because they like to work out? That's not a must-have, that's a nice-to-have. And GDPR is going to force must-haves. In order to manage the employment relationship I have to be able to pay you, I have to be able to give you a job, I have to be able to provide benefits, I have to be able to provide performance evaluations and other requirements, but if it's not legally required, I don't need that data. And so it's going to change the way companies think about developing programs, policies, even technology. As they start to think about how they're developing new technology, what data do they need to make this technology work? And technology has actually driven the need for more privacy laws. If you think about IoT, artificial intelligence, Cloud. >> Mobile. >> Absolutely. Great technology, but from a privacy perspective, the privacy was never a part of the planning process. >> In fact, in many respects it was the exact opposite. There were a whole bunch of business models, I mean if you think about it in the technology industry, there's two fundamental business models. There's the ad-based business model, which is, "Give us all your data "and we'll figure out a way to monetize it." >> Absolutely. >> And there's a transaction-based business model which says, "We'll provide you a service "and you pay us, and we promise to do something "and only something with your data." >> Absolutely. >> It's the difference between the way Google and Facebook work, and say, Apple and Microsoft work. SO how is this going to impact these business models in ways of thinking about engaging customers at least where GDPR is the governing model? >> Well, it is going to force a fundamental change in their business model. SO the companies that you mentioned, that their entire business model is based on the collection and aggregation of data, and in some cases, the selling of personal data. >> Some might say screwing you. >> Some might definitely say that, especially if you're a privacy attorney, you might say that. They offer fabulous services and people willingly give up their privacy, that's part of the problem, is that they're ticking the box to say, "I want to use Facebook, I want to use Twitter, "I want to use LinkedIn "because these are great technologies." But, it's the scope-creep. It's what you're doing behind the scenes that I don't know how you're using my data. SO transparency is going to become more and more critical in the business model and that's going to be a cultural, as Paul said, a cultural shift for companies that their entire business model's based on personal data. They're struggling because they're the companies that, no matter what they do, they're going to have to change. They can't just make a simple, change their policy or procedure, they have to change their entire business model to meet the GDPR obligations. >> And I think from, like Shelia says there, and obviously GDPR's very much around, kind of, private data. Well, the conversation we're having with our customers is, is a much wider scope than that, it is all of the data that you own. And it's important, I think, organizations need to stop being fast and loose with the information that they hold because not only is the private information about those people there that, you know, me and you, and that we don't want that necessarily leaked across the well to somebody who might look to exploit that for some other reason. But, that might be, business confidential information, that might be price list, it might be your customer list. And, at the moment, I think in lots of organizations we have a culture where people from top to bottom in an organization don't necessarily understand that. SO they might be doing something where, we had a case in UK recently where some records, security arrangements for Heathrow Airport were found on a bus. So somebody copied them to a USB stick, no encryption, somebody copied it to a USB stick, thought it was okay to take home and leave in the back of, probably didn't think it was okay to leave in the back of the taxi, but certainly thought it was okay to take that information home. And you look at that and think, well, what other business asset that that organization held would they have treated with such disdain, almost to say "I just don't care, this is just ones and zeroes, "why would I care about it?" It's that shift that I think we're starting to see. And I think it's that shift that organizations should have taken a long time ago. We talk to customers, and you hear of events like this all the time, data is the new gold, data is the new precious material of your choice. >> Which it really isn't. It really isn't, here's why I say that because this is the important thing and leads to the next question I was going to ask you. Every asset that's ever been conceived follows the basic laws in economic scarcity. Take gold, you can apply to that purpose, you can make connectors for a chip, or you can use it as a basis for making jewelry or some other purpose. But, data is fungible in so many ways. You can connect it and in many respects, we talked about it a little bit earlier, the act of making it private is, in many respects, the act of turning it into an asset. SO one of the things I want to ask you about, if you think about it, is that, there will still be a lot of net new ways to capture data that's associated with a product or service in a relationship. SO we're not saying that GDPR is going to restrict the role that data plays, it's just going to make it more specific. We're still going to see more IoT, we're still going to see more mobile services, as long as the data that's being collected is in service to the relationship or the product that's being offered. >> Yeah, you're absolutely right. I mean, one of the things that I always say is that, GDPR's intent is not stop organizations from collecting data, data is your greatest asset, you need data to manage any kind of relationship. But, you're absolutely right in what it's going to do is force transparency, so instead of doing things behind the scenes where nobody has any idea what you're doing with my data, companies are going to have to be extremely transparent about it and think about how it's being used. You talked about data monetization, healthcare data today is ten times more valuable than financial data. It is the data that all hackers want. And the reason is, is because you take even aggregate and statistical information through, say trial clinics, information that you think there's no way to tie it back to a person, and by adding just little elements to it, you have now turned that data into greater value and you can now connect it back to a person. SO data that you think does not have value, the more we add to it and the more, sort of, profiling we do, the more valuable that data is going to become. >> But it's even more than that, right? Because not only are you connecting it back to a person, you're connecting it back to a human being. Whereas financial data is highly stylized, it's defined, it's like this transaction defining, and there's nothing necessarily real about it other than that's the convention that we used to for example, do accounting. But, healthcare data is real. It ties back to, what am I doing, what drugs am I taking, why am I taking them, when am I visiting somebody? This is real, real data that provides deep visibility into the human being, who they are, what they face, and any number of other issues. >> Well, if you think about GDPR, too, they expanded the definition of personal data under GDPR. SO it now includes data, like biometric and genetic information that is heavily used in the healthcare industry. It also includes location data, IP information, unique identifiers. SO a lot of companies say, "Well, we don't collect personal data "but we have the unique identifiers." Well, if you can go through any kind of process to tie that back to a person, that's now personal data. SO GDPR has actually the first entry into the digital age as opposed to the old fashioned processing. Where you can now take different aspects of data and combine it to identify a human being, as you say. >> So, I got one more question. This is something of a paradox, sorry for jumping in, but I'm fascinated by this subject. Something of a paradox. Because the act of making data private, at least to the corporation, is an act of creating an asset, and because the rules of GDPR are so much more specific and well thought through than most rules regarding data, does it mean that companies that follow GDPR are likely, in the long run, to be better at understanding, taking advantage of, and utilizing their data assets? That's the paradox. Most people say, "I need all the data." Well, GDPR says, "Maybe you need to be more specific "about how you handle your data assets." What do you think, is this going to create advantages for certain kinds of companies? >> I think it absolutely is going to create advantages in two ways. One, I see organizations that comply with GDPR as having a competitive advantage. Because, number one it goes down to trust. If I'm going to do business with Company A or Company B, I'm going to do business with the company that actually takes my personal data seriously. But, looking' at it from your point of view, absolutely. As companies become more savvy when it comes to data privacy compliance, not just GDPR, but data privacy laws around the world, they're also going to see more of that value in the data, be more transparent about it. But, that's also going to allow them to use the data for other purposes, because they're going to get very creative in how having your data is actually going to benefit you as an individual. SO they're going to have better ways of saying, "But, by having your data I can offer you these services." >> GDPR may be a catalyst for increased data maturity. >> Absolutely. >> Well, I wanna ask you about the cultural shift. We've been talking so much about it from the corporate standpoint, but will it actually force a cultural shift from the customer standpoint, too? I mean, this idea of forcing transparency and having the customer understand why do you need this from me, what do you want? I mean, famously, Europeans are more private than Americans. >> Oh much so. As you've said, "Just click accept, okay, fine, "tell me what I need to know, "or how can I use this website?" >> Well, the thing is that, it's not necessarily from a consumer point of view, but I do think it's from a personal point of view from everybody. SO whether you work inside an organization that keeps data, that's starting to understand just how valuable that data might be. And just to pick up on something, that just to pop at something you were saying before, I think one of the other areas where this has business benefit is that that better and increased management and maturity, actually I think is actually a great way, that better maturity around how we look after our data, has huge impact. Because, it has huge impact in the cost of storing' it, if we want to use Cloud services why am I putting things there that nobody looks at? And then, looking at maintaining this kind of cultural shift that says, "If I'm going to have data in my organization, "I'm no longer going to have it on a USB stick "and leave it in the back of a cab "when it's got security information "of a global major airport on it. "I'm going to think about that "because I'm now starting to understand." And this big drive about, people starting to understand how the information that people keep about you has a potential bigger impact, and it has a potential bigger impact if that data, yeah, we've seen data breach, after data breach after data breach. You can't look at the news any day of the week without some other data breach and that's partly because, a bit like health and safety legislation, GDPR's there because you can't trust all those organizations to be mature enough with the way that we look after our data to do these things. SO legislation and regulations come across and said, "Well, actually this stuff's really important "to me and you as individuals, "so stop being fast and loose with it, "stop leaving it in the back of taxis, "stop letting it leak out your organization "because nobody cares." And that's driving a two-way thing, here, it's partly we're having to think more about that because actually, we're not trusting organizations who are looking after our data. But, as Shelia said, if you become an organization that has a reputation for being good with the way they lock their data, and look after data, that will give you a competitive edge alongside, actually I'm being much more mature, I'm being much more controlled and efficient with how I look after my data. That's got big impact in how I deliver technology and certainly, within a company. Which is why I'm enthusiastic about GDPR, I think it's forcing lots and lots of long-overdue shift in the way that we, as people, look after data, architect technology, start to think about the kind of solutions and the kind of things that we do in the way that we deliver IT into business and enterprise across the globe. >> I think one of the things, too, and Paul brought it up, is he mentioned security several times. And, as Paul knows, one of my pet peeves is when companies say, "We have world-class security, "therefore we're compliant with GDPR." And I go, "Really, so you're basically locking down data "you're not legally allowed to have? That's "what you're telling me." >> Like you said earlier, it's not just about having encryption everywhere. >> Exactly, and it's funny how many companies say "Well, we're compliant with GDPR "because we encrypt the data." And I go, "Well, if you're not legally allowed "to have that data, that's not going to help you at all." And, unfortunately, I think that's what a lot of companies think, that as long as we're looking at the security side of the house, we're good. And they're missing the whole boat on GDPR. >> It's got to be secure. >> It's got to be secure. >> But-- >> You got to legally have it first. >> Exactly. The chicken and the egg. >> But, what's always an issue with security, around data and the stuff that Shelia talked about is quite a lot, is that one of the risks you have, is you can have all the great security in the world but, if the right person with the right access to the right data has all the things that they should have, that doesn't mean that they can't steal that data, lose that data, do something with that data that they shouldn't be doing, just because we've got it secured. SO we need to have policies and procedures in place that allow us to manage that better, a culture that understands the risk of doing those kinds of things, and maybe, alongside technologies that identify, unusual use of data are important within that. >> Well, Paul, Shelia, thank you so much for coming on the show, it's been a fascinating conversation. >> Thank you very much, appreciate it. >> Yeah, thanks for having us on, appreciate it. >> I'm Rebecca Knight for Peter Burris, we will have more from NetApp Insight here in Berlin in just a little bit. (upbeat music)