A data governance- and privacy-focused company founded in the EU that now headquarters its management team in New York City, Collibra has hundreds of customers across Europe and the U.S. As a result, the company keeps a close eye on changing data privacy legislation that may impact its own data governance platform and its customers’ data management practices.
Following a $100 million Series-E funding round, led by CapitalG, Alphabet’s growth equity investment fund, Myke Lyons joined the data governance and catalog software unicorn in April as its first CISO. With a background primarily in security architecture, Lyons came to Collibra from ServiceNow, where he was head of security strategy. He recently shared his perspective on changing data privacy regulations, and the direction in which he sees data governance and compliance efforts moving today.
BDQ: How would you characterize the current state of data privacy regulations in the U.S. now?
Myke Lyons: It is very much in its infancy. There is a massive gap between those that are creating the policy and those who are collecting and generating the data. There is an opportunity for organizations to improve their understanding and access to data. And by improve their access, I really mean improve how they are going to leverage the data for the betterment of their customers, business, and investors, and put some more clarity around that process.
BDQ: Is it easy for organizations to understand the different data privacy regulations or are they too disparate?
ML: They are not very consistent, frankly. I think organizations are really struggling with understanding what the goals are with the regulations and then trying to put them into practice and attempting to work within those confines to help customers. However, the other side is that these regulations also present an opportunity for organizations to start to extract better value from their data and not just continue down the path of collecting more and more.
BDQ: How so?
ML: The regulations are going to allow organizations to create more innovative products. There are a lot of organizations that have matured their processes around sales and marketing, around IT and HR, but they are not really improving their data processes, and this is something that I have a lot of interest in helping customers to do at Collibra.
BDQ: One of the newest data privacy regulations, the NY Privacy Act, also known as NYPA, was introduced in May but failed to advance in the state’s most recent legislative session.
ML: The roots of that particular regulation came out of GDPR [which took effect on May 25, 2018], similar to the California Consumer Privacy Act [(CCPA) which goes into effect Jan. 1, 2020]. The difference between GDPR, the California Consumer Privacy Act, and the NY Privacy Act requirements was that, in the NY Privacy Act [unlike CCPA], NY citizens would have had the right to sue any organization that has their data and removed a $25 million revenue starting point. The second key point is that it introduced the idea of a “data fiduciary” which is obviously very new and puts the onus on the collectors of data to be the appropriate stewards.
BDQ: Would the fiduciary have been a single person?
ML: I don’t know if it came down to a single named person. They tried to introduce something similar to this in the U.K. a number of years back called the “data custodian” but the U.K. law lost its teeth. It is not a new concept and it is one that privacy advocates have been supporting and something that Kevin Thomas, the NY state senator who introduced the act in New York, was keen on.
BDQ: That was a key difference from other legislation?
ML: The removal of the $25 million revenue threshold was a big one, as well. If the bodega down the street is collecting your data, it could in fact be sued. And it would have had some impact on startups and their ability to grow.
BDQ: What is the larger impact of these current and proposed regulations surrounding data privacy?
ML: They are going to help organizations understand concepts such as “privacy by design” as opposed to “privacy bolted on.” These will introduce all different types of data products, different opportunities for revenue, and really provide the opportunity for organizations to get more connected to their customers from a service perspective. This is going to allow them to build more trust with customers as their transparency increases. But the first step is that they have to get a handle on the data, know where the data is, and know what they have.
BDQ: Are there technologies or approaches that will be leveraged by companies to get a better handle on their data?
ML: Definitely. In the governance space, the foundation for any of these efforts is locating the data and where those repositories, data lakes, and data warehouses are, and pulling information in so they can understand where it resides, as well as its lineage—and this is an area of focus for Collibra. And then the next phase is to be able to run machine learning or artificial intelligence to help categorize the data, because manual efforts are not going to get them where they need to be. There has to be a focus on automation and constant upkeep of the data, whether it is the metadata itself or the location of the data.
BDQ: Looking ahead, say 5 years from now, what is your expectation for how the regulatory and compliance landscape will evolve?
ML: There are some interesting times ahead of us. I can envision a slightly less toothy version of a data privacy regulation coming from the U.S. federal government in the next couple of years. That said, previously, legislation took such a long period of time to actually get passed and, nowadays, it is becoming faster because the speed at which businesses are changing the way they operate is so quick. The U.S. government has launched an initiative whereby every government agency needs to have a chief data officer.
BDQ: What is the significance of that mandate?
ML: This is a first step, and once that is accomplished, there will be a number of chief data officers at these agencies, and there will also obviously be chief data officers within private businesses, so I can see there being a data privacy regulation from the federal government. But I can imagine that if the federal government does not act quickly that there could be 40 or 45 states launching their own data privacy regulations. In many cases, these are bipartisan efforts because there is cross-party agreement that data is being used in ways that not everyone is comfortable with.
Interview conducted, condensed, and edited by Joyce Wells.