Anthony Di Bello is Senior Director, Market Development, at OpenText. I knew him at Guidance Software before that, and OpenText’s acquisition of Guidance Software is the first topic covered in this interview, recorded at Legaltech in New York in February (which is why the GDPR, the subject of most of the discussion, is referred to as a future event).
Anthony Di Bello says that OpenText’s acquisition of Guidance Software, with its abilities to search, preserve and collect the data, was a logical acquisition for OpenText to complement its earlier acquisition of Recommind (now part of OpenText Discovery) with its Axcelerate search and analytics capability.
It is also, he said, an investment in the security which is increasingly important to clients. Clients have been asking OpenText how OpenText can help them secure data while simultaneously making it available for discovery in compliance with regulations. Those regulations include not just the then pending GDPR but existing US state notification requirements and PCI (Payment Card Industry) obligations.
Accessibility is not the primary driver for the GDPR, I suggested. Anthony Di Bello says that “regulated accessibility” is what matters here. The GDPR has incited interesting conversations with clients who need visibility over the things they are required to look after. The GDPR, Anthony Di Bello says, is forcing dialogue between legal, IT, compliance and other areas of responsibility within corporations to find out where data sits, who is responsible for it and (not to be overlooked) what value it has.
On data retention, many organisations have been good at policies and schedules but less so on enforcement. The GDPR obligation to keep data only for the purpose for which it was collected and to dispose of it once that purpose is fulfilled is not a bad approach to data generally, with or without the requirements of the GDPR.
We talked also about the data breach notifications in the GDPR. These are similar in kind to existing notification duties of various kinds, albeit with a tighter timetable with the 72 hours notification period set out in the GDPR. Contrary to many views, this is not an obligation to tell the regulator absolutely everything within 72 hours. Generally, it is an obligation to say that there has been a breach, what the scale of it is in broad terms, and what the company intends to do about it, with more information being added later. As OpenText brings visibility to content, it can enable its users to ask the questions needed to give answers to the regulator such as “Did any data actually leave the building?”.
I asked Anthony Di Bello if the GDPR has helped encourage organisation to practise for potential breaches. He says that financial organisations and central governments are getting ready for possible adverse events so that everyone knows what their role is and who they must communicate with, but many companies have some way to go on this.
It will be interesting to see if we get better practices generally for the handling of data, once the dust has settled on the GDPR. Not unreasonably, Anthony Di Bello said that by bringing Axcelerate, EnCase and other machine technologies to the task, OpenText can help clients move in this direction.