Teskalabs, GDPR

StartupYard Alum TeskaLabs Tackles GDPR With New Enterprise Solution

Hi Ales, TeskaLabs has done really well post-StartupYard. What have been your biggest successes in the last 3 years?

Thanks, Lloyd. Very glad to hear that. There is a lot of work behind it. As you know, TeskaLabs launched with StartupYard with a focus on securing enterprise mobile applications and networks.  Originally this was with a single core “secure gateway” technology called SeaCat. Based on our cooperation with large corporations such as 02 in the Czech Republic, we have expanded the uses for this core technology into new product lines that support enterprises with large networks and sensitive data in the field.

It is a cruel request to name the most successful piece of work we’ve done. We play a synergic game: we aim to have any new product or feature enhance the whole. So in that sense we are moving on several fronts all at once.

But if I have to choose one, it will be Black Swan, which we first talked about in our annual report last year. Black Swan is originally a part of SeaCat – but today it is a standalone product. It’s a real-time stream analyzer designed to detect anomalies, trend changes, and things that should not be happening on a high-value network. It can be used to identify cybersecurity breaches, detection of malfunctioning IT technologies, but also as a business analytics and intelligence tool.

We deployed Black Swan last year on the national network of a large mobile operator (I won’t name them here), on LTE, 3G, 2G, voice, and data. That investment from their side, I’m happy to say, paid back for them in 5 days.

You also recently announced a new data-anonymization product for GDPR compliance: TurboCat.io. Who is it designed for, and why is it needed?

This is why I said our work is so synergistic. Every time you dive into the problems of securing big networks with lots of different things going on, you discover yet another way to provide more value with the same technology base. That is the case for TurboCat.io as well.

TurboCat.io originated as a part of Black Swan. Black Swan collects and processes billions of datapoints, and a great deal of them are sensitive personal information. Obviously this is a huge concern for telco operators and really anyone who is handling a lot of customer data. GDPR comes with very expensive consequences if data is mishandled or stored in a way that isn’t permitted, so corporations are all thinking now in terms of how GDPR will impact their operations and products.

Therefore, there was particular demand from customers to develop robust tools for anonymization, pseudonymization, encryption, and other tools to ensuring air-tight data privacy. We came up with TurboCat.io thanks to a review with a corporate data privacy officer. We discovered the urgent need for a broader solutions to these issues, so we decided to make it available for others too.

So we created TurboCat.io, a product focused on de-identification of personally identifiable information (PII) as defined by GDPR. You can find more on our blog, where we are publishing a whole series about data privacy for big companies with large databases.

For those who still haven’t brushed up on GDPR and its many new requirements for online businesses, can you tell us what is most important to understand about the new framework?

I think, perhaps a little controversially, that GDPR was needed. Many companies are still in shock and trying to come to grips with the complexities and the limitations on their old data-use practices, but on the whole I think this is a constructive process.

You know, we do cybersecurity, and what we sometimes saw, in the sense of how some companies worked with personal data, scared me frankly. It should scare more people.

GDPR can be viewed as a kind of “scared straight” moment for many companies dealing with a lot of sensitive data and with customer privacy. This was really needed, and it helps to get all of us on one page, dealing with security in a more thorough and complete way. This put everybody on notice that privacy is a right for customers, and must be respected and strictly upheld.

The way the EU bureaucracy has done this is, of course, another matter. It’s not perfect, and it’s not what I would have done, but we are here to deal with it and help companies to adjust.

I view it as essential to privacy and real security, that personal data such as names, emails, addresses, and the like be recognized as having value for their owners. If a business decides to store or process these data, it must also adequately protect them. Fundamentally what GDPR does is to strongly state that these data are our property, and that our property and our privacy are not to be sold or traded as someone else’s assets, beyond our knowledge or control.

GDPR is putting a lot of businesses into panic mode right now. What do you see as the biggest vulnerabilities, and in which industries will GDPR present the biggest challenges?

Yes, you are right. There is a lot of panic.

In general, B2C companies are more exposed than B2B. Obviously B2C companies are dealing with many individuals, and often have many different products and many overlapping data sets and uses for these data that need to be understood, not only by customers but by the companies themselves.

Up to today, large B2C companies such as retailers often did not know all of the data they were storing, who had access to the data, and what all of the data was being used for across the whole company. That can no longer be the case, because in order to do any of these things legally, the company must inform the customers and ask for their permission. They must offer a way of removing these data in many cases, and that requires real changes in the way they operate.

How do you expect that GDPR requirements will change company cultures, or require big shifts in the way some companies operate?

We are working  with several big companies to help them adopt GDPR requirements, and I have to say that it is not really a significant shift at the end of the day.

Staff needs to be well informed and instructed. Bad practices need to be changed, but here it usually correlates with cybersecurity issues, so it needs to be fixed anyway. That’s why I see it as overall positive, not just for society but also for business. These things needed attention, but now there is a strong incentive to make positive changes.

One typical example is a shared account for various online (SaaS) marketing and BI tools. It is very common, and it can do a lot of damage. Single sign-ons for large organizations present a single point of vulnerability that can be exploited. If there is only one way in, then all a company’s associated data is then at risk. GDPR is going to change the behavior of these SaaS providers *and* the companies who use them for the better.

And of course, you should consult your lawyer and review your user agreements. There are probably issues you need to fix. You can no longer hide your data practices behind a general user agreement.

Aside from challenges, what opportunities or positive long-term effects are you expecting from GDPR?

I suspect the landscape of personal data dealing will change significantly. So it is definitively an opportunity for new businesses and innovations. If I have to bet, blockchain technologies and crowd monetization of the access to personal data resonates a lot.

Blockchain allows the possibility of always being in control of what data is shared, and always having visibility on how it is being used. The opportunity to change or correct personal data is really important, and the blockchain allows these changes to be made based on consensus, and not just on the decisions of a particular company. Unfair and descriminatory practices can be defeated in this way, for example by giving individuals the opportunity to see how theirs data is being used in comparison with the data of others.

How should companies make sure they’re compliant with GDPR within the next month?

It is not even a whole month until GDPR become effective. If you haven’t started, I bet you are late already. But no worries, you can still prepare your business. I think that the EU is very much expecting this to be a learning curve, and they must be prepared to give some room to manuever. Then again they will also need to make examples.

Technically: Get a good understanding what personal information you are collecting. Who has access to what, and how you protect these data. Evaluate all data exports and implement de-identification of unneeded entries. And implement monitoring of your IT systems, which will give you an audit trail. That is important for any eventual dispute and will help you a lot.