Monday, May 21, 2018

Risky Data 2: GDPR outside the EU

Image courtesy of the European Commission
This is the second in our series examining the impact of GDPR outside the European Union. GDPR (General Data Protection Regulations) is the new privacy law enacted by the European Union that becomes effective May 25, 2018.

The law attempts to enforce an individual’s ownership rights of their personal data. It includes provisions to protect the use of any individual’s data that is collected by an enterprise and/or shared with business partners, etc.

It includes significant control over and restrictions on what can be done with such data without specific permission of the owner. In addition, because of the risk of exposure of private data by ‘bad actors’, it imposes very tight deadlines on reporting exposure of such data, along with severe penalties for violating GDPR provisions. 

As a result, the details of the act become very important. As with any very large, broadly targeted and comprehensive law created by a large bureaucracy, there are certain to be unintended consequences along with the intended consequences of the provisions. GDPR covers procedures for obtaining permissions for data use. There are deadlines set for reporting of data theft, data breaches, loss of control, etc. In this piece, we examine some of those details and the risks entailed as a result.

Areas of Uncertainty

Given the size of the task, it is not so surprising that many areas exist in GPDR regulation requirements that are unclear, lacking in detail, or remain undecided. For example, there exists no clear explanation about how the regulations will function in practice. Also lacking are any hints of what operational changes will have to be implemented during the first several years as the regulation begins to take effect. It is normal to have some timeline and specifics provided to help guide and facilitate implementation efforts.

As an example, in many enterprises, while there are management and audit groups that set policy, it is IT operations that has direct responsibility for the implementation details and activities involved in data collection, storage and management. Therefore, GPDR-related implementation will have a profound effect on IT operations. Operations managers should be aware of areas of concern.

As mentioned in the first article, explicit permission is required for collection and use of data. For minors, either the parents or a legal guardian must consent. That requirement alone can have severe problems in implementation, both practical and legal. What will be the process to contact the parents for consent? If you rely on the child to involve the parents, will they tell the truth? Will they identify someone else, who they know will give permission? What restrictions exist about the data that can be requested?

Another area that comes to mind concerns the GPDR-set reporting deadlines in response to violations or permissions. For example, the time limits set for responding to queries for access to personal data, or for alerting and acting on data access breaches appear unrealistic[1]. They will have to be adjusted as companies fail to meet them. We know from experience that planners seldom anticipate the full consequences of their dictates, nor are they good at estimating the cost and time required to comply with their dictates. Only experience reveals the unintended results. It is reasonable to assume many of the GDPR proposed changes will be revised or radically altered, even eliminated, as actual experiences at applying the rules accumulate.

However, it is not clear how significantly nor how quickly any such adjustment will be made. Nor, is there a guarantee how infractions will be treated in the interim.   

Each country within the EU will have its own GPDR authority. This raises a host of questions. Germany, for example, has historically been the strictest enforcer/protector of data privacy. Applying restrictions and punishing violations much more vigorously than other countries. We don’t expect any change in their positions.

Additionally, will large companies be able to shop around the EU to identify the country with the laxest enforcement policies? This is exactly what happened with corporate tax legislation and enforcement. Companies arranged business accounting, manufacturing and delivery processes to minimize tax liabilities. By implementing complex transaction processes, companies were able to greatly reduce taxes paid. As would be expected, enterprises would include careful consideration of country’s taxation policies when making large scale investment and job creation decisions. Will it be possible to do the same with GPDR?

The way actual fines will be determined is not specified. Will the countries differ in calculation formulas? For example, how would the fine be calculated if the data on 500 people is stolen? Does that count as one infringement, or 500?

Strict reading of GDPR means that American companies, including those that have no physical presence in the EU could be subject to the EU’s worldwide scope if they have personal data on any EU citizen or resident in their system. Presumably, the EU would need the local courts to agree to enforce penalties on these companies. How will that work? Will enterprises have to wait for such a case to reach the US Supreme Court to find out the answer? Or, will it become an issue in trade negotiations? To date, there have been no public announcements, or, as far as we know, no discussions. Nevertheless, it is reasonable to assume the US will enter any such negotiation with its own interests in mind. 

What will be the effect of Brexit on the GPDR? Since the UK is leaving the EU, it would seem that the EU mechanism for enforcing GPDR will not apply to the UK. Will the UK decide to make GPDR a part of its law? If so, will the UK make changes in the version of GPDR that it adopts? If they do, how will it differ? In scope? In fines? In restrictions? Will UK enforcement be similar to or radically different from enforcement in the EU? If not, how will it differ?  Presumably, at least some of these questions will be answered as the UK prepares its exit from the EU.

Finally, the GPDR may be tied up in the European courts for some undetermined period as soon as some of the rules are enforced. And, it is likely that it will be challenged in this way. This may also happen in the UK if Britain leaves the commercial trading jurisdiction of the EU as they exit the EU community.

In sum, there are numerous areas of uncertainty surrounding GPDR. Only experience and time will provide definitive answers. In the meantime, it is wise to determine the potential for GDPR to impact your operations. If it is significant, you will need a strategy to prepare for it. Our next installment will examine issues about that potential, as well as what should be considered in developing such a strategy.

This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC. 

To obtain reprint rights contact

[1] There are studies that show current response times are on the order of weeks rather than the days required by GPDR rules. Of course, that might not be relevant if response times can be adjusted downward under the pressure of the new rules.

Tuesday, April 17, 2018

Compuware continues to lead in Agile DevOps for the mainframe

By Rich Ptak

Image courtesy of Compuware, Inc.

Compuware continues to add to and extend its mainframe solutions as it advances in its campaign to mainstream the mainframe. This time with two major innovations that help their customers preserve, advance and protect their mainframe investments.

Before we get into the innovations, we want to mention Electric Cloud, a new partner, who proactively integrated their service through the Compuware open API. This is the latest example of how Compuware takes an open borders approach where they integrate with a variety of solutions to help customers build out their DevOps toolchains. 

Now, onto the announcements. First, a new product, Compuware zAdviser. It leverages machine learning and intelligent analysis for continuous mainframe DevOps improvements. This new capability provides development managers with multi-level analysis of tool usage and performance data. They focus on the critical DevOps KPI’s (key performance indicators) of application quality, development team efficiency and velocity. All are also key to agile development. Even better, the product is free to Compuware customers. 

Second, is a new GUI for Compuware’s ThruPut Manager, which provides intuitive, actionable insight into how batch jobs are being initiated and executed, as well as their impact on cost. Users can leverage graphical visualizations of batch jobs that are waiting to execute and when they might run. In-depth detail on why a job has been waiting can also be easily obtained.

zAdviser + KPIs + Measurement = Success
Mainframe KPIs are a must if organizations want to successfully compete in the digital age. After all, you can’t improve what you can’t measure and if you’re not continuously improving, you are wasting your time and worse, your customers’ time. Teams must also be able to prioritize and measure the KPIs that will directly impact development and business outcomes. 

A Forrester Consulting study conducted on behalf of Compuware found that over 70% of firms responding had critical customer-facing services reliant on mainframe operations. Providing the customer with an exceptional experience, not simply good, clean code, has become the new measure of operational success.
According to a recent Forrester Consulting study conducted on behalf of Compuware, enterprises are doing a good job of tracking application quality, but they are considerably less concerned with efficiency and velocity. However, in order to modernize their application development strategies to keep pace with changing market conditions, firms must place as much focus on velocity and efficiency as they do quality.

Compuware zAdviser uses machine-learning to identify patterns that impact quality, velocity and efficiency of mainframe development by exposing correlations between a customer’s Compuware product usage and the KPIs. Equipped with empirical data, IT leadership can identify what capabilities within the tools developers can exploit to become better developers.   The day of beating the drum to go faster are long gone with the machine learning. 

ThruPut Manager: Visualization for Batch Execution
Compuware’s ThruPut Manager brought automated optimization to batch processing. ThruPut Manager allocates resource decisions by balancing the needs of multiple interested parties. It involves cost-benefit tradeoffs between risks and costs, such as risking SLA (service level agreement) violations of timely service delivery to avoid a costly increase in software MLC (monthly license cost) charges.

Compuware reports that batch processing jobs account for about 50% of mainframe workloads!

Today’s complex environments compound the problem with a bewildering number of choices, combinations and alternatives to consider in making these decisions. The amount of data, competing interests and number of options means it takes years of experience to achieve even a reasonable level of competence at this task. Further, a lack of such seasoned staff means that these operationally critical decisions are now being left to new-to-the-mainframe staffs lacking that experience.

ThruPut Manager’s new web interface provides operations staff with a visual representation of intelligible information of the cost/benefit tradeoffs as they work to optimize workload timing and resource performance.

In combination with Compuware Strobe, ops staff can more easily identify potential issues. They can manage and balance competing metrics relating to cost, resource allocation, service policies and customer interests to make the best decisions for optimizing the workloads, as well as application performance.

A big part of ThruPut Manager’s advantage is the multiple drill-down views it provides. Starting with an overview, which displays data about the General Services and Productions Services queue, users can drill down to a detailed view of specific job data and job history, as well as where work is getting selected. The GUI also collects and displays the R4HA information for the last eight hours. And, if the Automated Capacity Management feature is constraining less important workload to mitigate the R4HA, this will be displayed on the graph. 

The Final Word
Mainframe workloads continue to increase even as experts steadily leave the workforce and responsibilities shift to mainframe-inexperienced staff. Organizations must constantly work to modernize mainframe environments and remove impediments to innovation to not only increase their business agility, but also attract a new generation of staff to the platform.

Compuware zAdviser provides concrete data that allows mainframe staff to link the results of actions taken to improve performance based on KPI measurements. DevOps management and staff have access to intelligible, visual information on the impact of those changes in detail. 

Compuware ThruPut Manager provides much needed clarity and insight to fine-tune batch execution for optimal value easing budget stresses while fulfilling business imperatives.

These products provide strong evidence of Compuware’s ability to create innovative ways to identify and resolve challenges in mainframe development, management and operations that have long been barriers to its wider use. The entire team deserves a salute for their 14th consecutive quarter of very agile delivery of solutions that are driving the mainframe more and more into the mainstream of 21st century computing. Congratulations once again for your efforts.

Monday, April 16, 2018

Risky Data: GDPR outside the EU

By Bill Moran and Rich Ptak

Image courtesy European Commission
GDPR (General Data Protection Regulations), the new privacy law enacted by the European Union, will come into full force in May 2018. The law is an attempt to enforce some ownership rights and protect the use of an individual's data collected by enterprises. This is the first of a series of articles on concerns and impact of GDPR on companies not physically based in the EU but who deal with EU residents directly (such as selling services or products), or indirectly, doing business with a firm with EU-resident customers. Note, we are not attempting to provide a detailed legal analysis. This is intended to be an advisory and awareness raising commentary for what appears to us as a potentially highly disruptive trend. 

A major driving force behind the GDPR mandates has been the documented abuse, along with the increasingly evident potential for misuse of the collected information. Perhaps best represented in the highly profitable sale of access to customer data by social-media giants with Facebook[1] being just one example.

Add to this growing, wide-spread public awareness of data abuse is the exposure of the casual, if not callus attitude of industry executives, data sellers, as well as buyers, convinced that profitable exploitation of the data is their exclusive right.

It is very likely that GDPR-type restrictions will be initiated and imposed by the US along with other non-EU national governments. The repeated disclosure of personal information obtained from corporate databases by hackers, lends further impetus to such efforts. Anyone doubting the risk can easily find evidence with a simple internet search[2].

GDPR’s initial focus is on returning the ownership and control of personal data to the individual. To that end, GDPR requires that the entity requesting data must obtain explicit, informed consent from the individual[3] for the collection and USE of the requested data. Both the request and consent must be visible and explicit. Specifically, it cannot be buried in a long, detailed statement of intent nor blanket user’s agreement nor in formal terms and conditions for licensing or other contractual arrangement. The expectation is that this will take some significant effort. There are many more details, which will be discussed in upcoming reports. First, let’s look at plans for enforcement.

GDPR establishes severe penalties for companies violating the individual’s data rights, e.g. a fine of up to 4% of an enterprise’s worldwide revenue for repeat offenders. For corporations, with 100s of billions of euros in revenue, this could equal billions of euros. The law applies to the data of both EU citizens and EU residents. Accountability extends to any company anywhere which maintains personal information on EU residents and/or citizens in its system. Personal information is very broadly defined as anything that allows identification of an individual person. This broad definition appears to include even a simple URL.

Our series of articles will focus on issues and actions of concern to companies which may or may not currently do business in the EU but have information on EU citizens/residents in their databases. There are also secondary players, such as suppliers to multinationals that receive from or exchange data about individual EU-residents. Such suppliers will likely be asked to adhere to GPDR requirements or requested to implement GDPR compliant data protection policies. An example is a US-based airline with (TSA mandated) information from a ticket purchase by an EU resident. Virtually any enterprise anywhere doing business with any EU resident falls under GDPR.

We will not focus on issues of the large multinationals with significant EU business who have staff, legal and technical, to address the issues. They are immediately subject to EU laws and have had several years to prepare.

Our next installment will discuss open questions and implementation risks. It will be posted in approximately two weeks.

[2] Searching “hacker obtain personal data from corporate information” returns 48.8 M results and 127M if searching “hacker personal data corporate data”

[3] In the case of a minor the parents or the legal guardian must consent. Here you can see how GPDR requirements will spawn severe problems when an organization tries to implement them. We are not necessarily opposed to the concept but significant effort may be required to implement. What exactly is the process to contact the parents and get this consent? If you ask the child who their parents are will they tell the truth or will they identify someone else who they know will give permission?