The blog post from VMWorld , where I am really excited about how Cohesity have written the playbook for GDPR compliance in the Data Centre and the Cloud, and I don’t think they realise it.

Full disclosure up front.   I was invited to a vRetreat blogger briefing on Cohesitiy. I am not a paid blogger and I have not been paid or promised any gratuity.  (But I did get delicious pastries and nice coffee at the venue in Barcelona, including a glass of Cava).  I was attending this briefing out of interest in Cohesity,  which is a not so new player in secondary storage. Beyond the invite and being in Barcelona for VMWorld 2018, I wasn’t expecting to be excited by a company’s strategy that genuinely addresses GDPR as a policy and practice.

The purpose of the briefing was to allow Cohesity’s Field CTO ,Rawlinson Rivera,  give an Overview of Cohesity’s technology and their vision of the future, based on their announcements at VMWorld.

I have to hand it to Rawlinson Rivera, his delivery was very “Hollywood”.  I don’t mean that in a derogatory way, rather it was delivered with style and substance.

Now other technical bloggers will likely address the “How” for the technology that Cohesity offers.  My perspective is a more strategic one about the “Why”.

But before I get ahead of myself, let me set the stage that Rawlinson Rivera did in terms of defining the problem.

From Cohesity’s perspective, they are pointing out that secondary infrastructure tasks, backups, test dev, archiving, and analytics are prone to inefficiencies. I don’t think anyone can refute that. Indeed these are complex tasks and  are pre-destined to becoming “wicked” problems. A wicked problem as wikipedia describes it is a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognise. The use of the term “wicked” here has come to denote resistance to resolution, rather than evil. The cloud has obviously inherited this complexity from the Data centre.

Cohesity offer their solution to this problem by converging your secondary data on a single cloud-ready solution, “Cohesity Data Platform”.

This solution offers plenty to talk about, including web scale distributed file system, accelerated application development and in-depth data insight. But what captured my attention was the differentiators that Cohesity offer as highlighted by Rivera.  In particular the data reduction differentiator, as it started me thinking about GDPR in the Data Centre and the cloud.

Just to clarify, GDPR is European Data protection legislation.  For the sake of consistency, I’ll share the definition that Cohesity uses to describe GDPR:

“The General Data Protection Regulation (GDPR) harmonises data privacy laws across the European Union (EU). In effect May 25, 2018, it has been called  the “most important change in data privacy regulation in 20 years” because it gives EU citizens new rights over their personally identifiable information (PII)—from knowing how long companies retain it to demanding it be deleted. Organisations worldwide that have EU residents’ personal data are subject to the regulation, underscoring the importance of a modern framework for data processing. Cohesity’s unified, web-scale secondary data solution consolidates PII and streamlines compliance with the subset of GDPR requirements related to data protection and data management, helping to mitigate both technical measure and key provision non-compliance fines which can be up to 2% (or €10M) or 4% (or €20M) of global annual revenue for each incident, respectively. Enterprise data, including PII, is stored in silos both on-premises and in clouds where fragmentation, lack of visibility, and legacy products make it difficult to discover and search. Poor protection and limited data access and reporting is unacceptable under the GDPR. To comply with GDPR, companies must know exactly what PII they have, where it is stored, how long it has been stored, and whether it has been breached. Furthermore, they must be able to comply with individual citizen requests for modification and deletion.” Source: https://www.cohesity.com/resource-assets/solution-brief/Cohesity_GDPR-Solution-Brief.pdf

When we look at the problem the Data Center and Cloud has, it’s really difficult for organisations to reach compliance with this legislation. And the penalties are severe. However as the rest of the article source points out, Cohesity’s software offers positive benefits that assist in reaching the compliance.

But I think Cohesity may not realise that they potentially have written the standard for achieving GDPR compliance in the Data Center and the Cloud. Or at the very least set the standard for themselves that others could follow.  I particularly liked the data reduction differentiator that was called out for it’s platform.  Because a really good GDPR compliant strategy in my opinion is Data Reduction. And I admire how Cohesity does this.

These advantages that Cohesity point out, look to me like a sound GDPR compliance policy for the Data Centre and the Cloud that all data professionals ought to follow.  One worth implementing and ensuring Data Professionals need not lose sleep over or the 4% penalty.  And I’d encourage Cohesity to capitalise on highlighting this far more.

I would contend there is not enough discussion about GDPR in the Secondary Infrastructure space. Everybody seems to be waiting for someone else to breach the regulation and learn from that. I don’t particularly think that’s a good strategy waiting for a disaster like that. Instead perhaps mitigating the risk of a breach of regulations and having policies that build in compliance to your Data Centre and Cloud Services is more appropriate.

I welcome comments on my perspective on this. Does Cohesity offer enough, or too much compliance? Would you agree that Cohesity seems to be setting a standard, or is this a common standard already across Data Professionals addressing GDPR?

Feel free to keep this discussion going. I would love to hear peoples thoughts.