Tom Preece, Director of Information Governance Solutions at Rational Enterprise, discusses how their solution ensures compliance with data protection regulations such as GDPR and CCPA. He explains the importance of knowing what data an organization has and why it's there, and how their tool allows organizations to interview the data itself to understand its purpose and origin. Preece also highlights the challenges organizations face in implementing effective information governance practices and how their software addresses these challenges. Additionally, he emphasizes the importance of data management in reducing the risk of data breaches and explains how their solution helps organizations improve their data management and ensure appropriate protections are in place.
Jim Merrifield (00:01.421)
Hello and welcome to the info gov hot seat. I'm your host Jim Merrifield and with me today is Tom Preece at Rational Enterprise. Welcome Tom.
Tom Preece (00:10.328)
Hi, very happy to be here, thank you.
Jim Merrifield (00:12.589)
Yeah, I'm glad you you're able to take some time with us and we could learn more about you and and your company and what you're doing in your current role So let's kick it off here. Can you tell us a brief introduction of yourself your current role and one fun fact about yourself?
Tom Preece (00:27.544)
Of course, yes. So Tom Preece my current role is director of information governance solutions at Rational Enterprise. So that covers two main areas, the development of our flagship information governance products and the roadmap and everything like that, as well as the service delivery. So actual interactions with clients, making sure that they achieve their business goals with the tool, and then feeding that back into the product management side of the house. Now, fun fact, I drive my kids to school.
They go to a Waldorf school, so it's like a half hour drive. And this year, they're like, tell me a story. And I was like, OK. And I just had to make up a story on the spot. And the next day, they're like, keep telling a story. So I'm on episode 100 and something of this story that I just have to continue to make up. It's just epic dragons and magic tale that's kid appropriate. And I'm like, I've got to use ChatGPT and turn this into a novel now. It's like a very complex, intricate web story. So I thought that'd be kind of a fun fact.
Jim Merrifield (01:27.437)
That's awesome. Yeah, I was going to ask you if you're using ChatGPT for that just to help you out to generate some ideas or what have you.
Tom Preece (01:34.84)
Yeah, I haven't yet, but I feel like I need to put it on to paper so I don't like forget stuff.
Jim Merrifield (01:40.365)
Now that's awesome, but you're a good dad. I'm sure your kids are enjoying that, the story and hey, who knows? Maybe you'll put your own novel together, maybe an ebook, right?
Tom Preece (01:49.88)
Yeah, exactly.
Jim Merrifield (01:51.533)
Yeah, for sure. Awesome. So thanks for sharing that. So let's jump right into business here. So how does your, you talked about your solution, how you're the director of IG. How does your solution ensure compliance with evolving data protection regulations such as GDPR and CCPA? Because that's really on the minds of people today.
Tom Preece (02:11.96)
Yeah, yeah,
So I say that knowing what you have is pretty central to these things. And explicitly, of course, there's Article 30, record -keeping requirements for GDPR, the ability to respond to nearly any of the actual citizen rights that are afforded to any of these. You have to know what you have, why you have it, who put it there in the first place, how long you're going to keep it for. But also implicitly, I mean, with all
I think there's like 15 now states that have their own privacy regulations. You've got the federal one that's a draft who knows where that's going to go. But you've also got 13 other states that are now like looking at it and have different parts of the legislation process where they've accomplished it. So knowing which of those jurisdictions you're actually responsive to is more complicated than it should be because you don't necessarily know which data you have because it's whether or not they
live in that country or live in that jurisdiction. So there's all sorts of reasons that you really need to know what you have. Now traditionally what you do is you interview the people of your organization, say which data do we collect, where do we put it, what application does it flow into, how long do we need that for, for that purpose, how did you get you know the justification for this. That interview feeds into some kind of database which you can build things like data flows and data maps out of. But fundamentally you're asking the people,
When it comes to unstructured data, those people have no idea what's out there. I mean, we've talked to outside counsel. We've talked to consultants who have admitted that their plan when they go in there and help people with data inventory is they're like, we're really not thinking about the unstructured data. It's just too messy. And sometimes you can get along in that way, but not if there's a breach. I mean, not if those actual data points are exposed to the public because you know,
Tom Preece (04:11.896)
there was personal data where there should not have been. So our tool allows you to essentially interview the documents themselves, interview the data, cut out that middle, you know, sort of recollection problem of individuals and say the people who knew what was on that file share, it's been around for 20 years, they've left, they're not here at the company, you can't interview them. Go and talk to the data, understand what it is, what business process actually put it there.
So you can have that strong foundation for actually responding to the rest of the requirements for these sorts of regulations.
Jim Merrifield (04:43.821)
Got it. So is it kind of like similar to auto classification?
Tom Preece (04:48.248)
Sure, yeah. I mean, auto classification is excellent. And we certainly have it in the tool. I think that to be realistic, that's only ever going to get you so far. Because you need to have a higher level of confidence than 85 % or 89 % in order for all the stakeholders at your company, usually, to say, yeah, you can go delete that now.
And that's generally where auto classification will get you. It's not going to be able to match up to records categories perfectly to the degree of confidence that you need for people to say, I'm OK with you taking my data away now and deleting it. So yeah, it's definitely part of it, but I'd say it's not the complete solution.
Jim Merrifield (05:33.325)
Fair enough. So talking about challenges, right? I'm sure you're, you meet with many clients. What are you seeing so far this year? What challenges are organizations facing when implementing effective information governance practices? And how does your product or solution address these challenges?
Tom Preece (05:52.536)
I mean, I just sort of alluded to one. I'd say the people, right? Like the other people at the organization is like what information governance professionals run into the most of communicating the importance of their program, why it must be followed, the stakes, right? If you're not in a position where you had a major litigation, you had a major cybersecurity breach, you had a major audit from a regulator, and you're in pain and hurting and say, there's a better way, we have to do better.
If you're ignorant or naive to those experiences at your organization, then it's very hard to get any kind of momentum going. And it's compounded by the fact that a lot of people in these positions, they've got trained in their field of understanding, you know, what's the regulations that apply to us, put that into a record schedule, apply that to the actual documents, communicate to everybody. How to navigate politics.
how to actually affect change at the executive level, how to affect change at the individual level, how to change people's behavior, how to understand your information culture, how people relate to information. All those things are not necessarily part, you know, they're traditionally taught in that job. And yet those are essential, just as important as the record schedule and actually getting the job done. So I'd say that as a technology provider, this is something that we've sort of had to take on and me personally to just say the technology can't do it by themselves, you know.
we can try and automate it, which ultimately is how we help, right? Go to a company, actually take as many individuals out of the equation as possible to try and get to that automated state. But as I said before, you can't do that unless you change your approach. You say, hey, let's talk about what the criteria are in which deletion can take place. Let's not send you a bunch of documents every year to do disposition review and hope you get through them all and you have time.
Let's talk about the criteria that allow us to say under this exact circumstance, with this exact type of document, it's OK to delete it. Yes, everybody agree? Yes, yes. OK, great. Now you've got a rule that watches with a very high confidence of saying that's just going to get deleted and there's no other input that's needed. It's auditable. It's all something that you can look over and review it. And that's how you can try and get away from that sort of information cultural problem, like front end buy -in, to then try and get to a steady state automation.
Jim Merrifield (08:12.941)
Now you make it sound so simple.
Tom Preece (08:16.216)
It's a simple process if the damn people didn't get in the way for sure. We just replace them all with artificial intelligence also is also a great solution.
Jim Merrifield (08:25.549)
Hey, who knows that may happen, right? Someday. So you mentioned data breach. How does your solution help organizations improve their data management efficiency, thereby reducing risk associated with data breaches? Because I think every company these days is worried about a data breach. And of course, right, having information on their servers and things, they're worried about that information being compromised. So how does your software improve?
that efficiency.
Tom Preece (08:57.368)
Yeah, I like to joke that like the best way to protect information is to delete it. Like it can't be exfiltrated if it's not there on the systems in the first place. And I say that the most severe breaches that you see are not where hackers have become so incredibly sophisticated. They get to the crown jewels just through their own capabilities. It's usually some kind of negligence. It's like the
the data was on a place where there wasn't in in place encryption or that it was an assistant that was marked as like company private as opposed to top secret or confidential. And so it didn't have the protections that it should. So, you know, there's a combination of two different things there. You get records that should have been deleted, that were allowed to be deleted in the normal course of business, but there was just no follow through. That's what the policy said, but there's no operational aspect to it. And so.
Rational governance is all about that piece, right? This is the tool that we're talking about being able to say, here's what the policy says. How do we actually implement it across petabytes of information at scale? And you can actually ensure that disposition takes place so that it can't get exfiltrated. And for the stuff that you do need to keep, is it in the right actual right place? Which all goes back to what do we have? What do we actually have in these systems? All this content that's in our document management system, we've got appropriate protections.
But analyst XYZ said, I don't like the way that I can create reports in there. I did a big dump put into SharePoint, used Power BI to create my own visualizations for it. But they forgot to clean up that dump. And they've got the permissions to do it. How do you get that visibility to get those leakages to understand this is not the appropriate protections around it? And rational governance sort of allows you to know what you don't know.
Right, be able to explore without looking for something specific because those data points at the population level can be shown through visualizations and stuff like that. So I think that's probably where we provide the most value.
Jim Merrifield (11:03.053)
Yeah, so listen to listen to Tom, right? When in doubt, throw it out or delete it and possibly use a solution like Rational Enterprise. So thanks for sharing that. So Tom, we talked about a lot today. Any final thoughts for the audience?
Tom Preece (11:20.12)
I'd say don't get too worked up about generative AI. I think that there's a lot of hype that it's more like a calculator than a replacement for a human being. And then I think you've got to stay, I think Steve Weissman the IG guru guy, I think he said that you keep on doing you. I think that if you stick to the fundamentals of information governance and the processes,
you'll still outlast, you know, and become even more valuable in the realm of artificial intelligence.
Jim Merrifield (11:56.287)
I think that's wise advice. Well, listen, thank you, Tom, so much for joining me on the hot seat and sharing your expertise with our audience. We thoroughly appreciate it. And if you'd like to be a guest on the hot seat like Tom here, all you have to do is log on our website, submit your information through, and we'll get you on the schedule. And thank you so much, and enjoy the rest of your day.
Tom Preece (12:17.802)
Great, you too. Thank you so much for having me on.
Jim Merrifield (12:20.301)
Anytime.
Director, Information Governance Solutions
Tom Preece is responsible for the Design, Roadmap Strategy, Implementation, and Services surrounding
Rational Governance, Rational Enterprise’s enterprise-grade information governance platform. Tom
facilitates a constant loop between client issues and challenges, innovative solution design and testing,
logistical execution, white-glove delivery and service, data-backed impact evaluations, and finally back to
soliciting residual or new client challenges.
In tandem with his work on product design and delivery, Tom also works closely with business
development to coordinate complex requirements across product functionality, security, compliance, and
culture. Tom provides a nexus of knowledge across all of these areas, acting to empower prospects along
the buying journey, designing custom pilot solutions, and educating our salespeople on the depth and breadth
of our technology and service portfolio.
Tom also produces thought-leading content, having been a speaker at ARMA InfoCon, the IRMS conference, and the upcoming IngoGov World conference (2024). He has also been published by various organizations such as the
Association of Certified eDiscovery Experts, and Junto, the cybersecurity exchange provided by NetDiligence.