[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

[00:12] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.

[00:26] Now I have a very special guest on the show, Marjan Brasic. He is the co founder and CEO of Legit and he is in Croatia. Welcome.

[00:39] Marijan Bracic: Hello, Debbie. It's great to be here. Thank you very much for having me on the podcast. I'm very excited.

[00:46] And I have a question for you. Did you ever have a guest from Croatian on the podcast?

[00:51] Debbie Reynolds: No. No. You're the first person from Croatia on the podcast. Happy to have you here, though.

[00:57] Marijan Bracic: Thank you. Thank you. I'm guessing a lot of people that listen to your podcast don't really know a lot about Croatia. And maybe I could mention, I think Croatia is a fascinating country.

[01:10] We are a small country of less than 4 million people, but we are famous for the coastal region and the beautiful seaside. And we have around 1200 islands out of which only 50 are inhabited.

[01:24] And if you ever wanted to have a private island just for a day, I think this is the perfect place to come over and enjoy the seaside. And one other interesting fact about Croatia is that even though it's such a small country that has the one of the biggest charter fleets of sailing yachts, because a lot of people love to come here during the summer.

[01:48] And also which is more important for your podcast, we have a very big and active privacy community here as well.

[01:57] Debbie Reynolds: I know one other claim to fame to Croatia is that think Game of Thrones was filmed there, I believe.

[02:05] Marijan Bracic: Indubrovnik. Yeah, that's right.

[02:08] Debbie Reynolds: I would love for you to tell me your journey in privacy. Your company does a lot of work. You have a privacy manager product.

[02:17] So I just want to know how have you managed your journey up to this point and why is privacy important to you?

[02:27] Marijan Bracic: Sure, I mean, I was always respectful of privacy and I was never an intrusive guy. And the story how I started to work in data privacy and how Legit came to be is really a funny story.

[02:43] Actually it was back in the beginning of 2017 when I was still working, heading a data management department in a bigger services company. And at that time, and this is my background is data management.

[02:57] I was working with databases, etl, metadata management, data quality, and data governance in general.

[03:05] And I was heading Department of Data Engineers. And back in the day I was actually in Las Vegas for an IT conference. And it was like my 10th time there.

[03:17] And one evening I was really feeling bored and I was alone that evening in Vegas. And I thought to myself, maybe it's time to start gambling. Maybe I should try my luck.

[03:30] I didn't know the card game, so I only knew roulette. And I thought to myself, Marian, if you only bet on on red, there's always like 50% of chance that you are going to win.

[03:41] So you should just double your bets. And that was the night when I learned the hard way why the house always wins.

[03:49] So yeah, I didn't take into account the green zero. And it was like a series of 10 blacks and I lost some money and I was feeling bad the other morning.

[03:59] So I woke up a little earlier and I went to the conference for the first session. And the first session was about GDPR back at a time it was really not on my radar.

[04:11] I didn't know anything about GDPR and there wasn't a lot of people. It was US based conference. I think no one was really interested in GDPR back in 2017 in US.

[04:26] But as I was listening to the session, I was really thinking to myself, none of my enterprise customers is going to be able to handle the requirements.

[04:37] What are they going to do? Because the fines are so huge and the requirements are so hefty.

[04:44] And that was the time when I started thinking and obsessing myself with what I can do to help my customers actually fill the requirements and do privacy the right way.

[04:57] And in the same time, it was like an opportunity both from business angle, but also from social impact, how we can both do good and create a new business.

[05:12] And this is how I started working on Data Privacy Manager as the product. I really didn't know what we should do. But like two weeks later we had the design for the for the first version of the product, which later became one of the modules of the platform that we have today.

[05:29] Debbie Reynolds: Oh my goodness. So Las Vegas helps spawn your interest in privacy.

[05:35] So I want to talk a little bit about enterprises and data privacy and data protection.

[05:42] What are some of the biggest challenges you think that enterprises have when they understand what their obligations are with complying with data privacy or data protection regulations?

[05:57] Marijan Bracic: What I think the challenges are and also thinking as a vendor in the market, what we can see is that a lot of enterprises initially invested in what we call paper based compliance.

[06:11] And I got to give it to the lawyers.

[06:16] Somehow they convinced everybody that it's just a legal problem and that lawyers are the ones who are going to handle the privacy challenges with enterprises.

[06:29] And I mean the initial investment in paper based compliance was something that most of the enterprises did, but many enterprises, there wasn't a lot of activities after that. And what we always try to do is provide technology, provide advice and help enterprises move from paper based compliance to what we would call data based compliance or real operational comprehensive compliance where they are really tackling the privacy issues, not just creating the paperwork and documentation.

[07:06] Debbie Reynolds: I think you made a very important point here and it's something I see a lot with companies. And so I say that privacy is a data problem that has legal implications, it's not a legal problem problem that has data implications.

[07:23] So I feel like a lot of companies feel like if I go the paper route or the legal route in terms of getting my documentation together, it doesn't matter what I do operationally, but what we've seen in terms of fines and also the reputational harm that comes from companies not protecting people's data is from operations.

[07:44] It's basically from how you actually handle your data, not what you say you do.

[07:51] So your actual behavior is what people are concerned about, not what you say you do. What do you think?

[07:58] Marijan Bracic: I agree completely and I think there's one more thing to it, because for sure, working on your paper based compliance makes you look good on paper.

[08:11] And from the C level standpoint and the high level management, it seems like you have done the work, so you have invested, you have done something.

[08:25] But if you think about it, the willingness or motivation of the enterprise is to invest in privacy, to invest in technology and to actually do privacy the right way pretty much depends on the efficiency of the data protection authorities and the regulators.

[08:46] Because I have seen so many times when there is a data breach or any other similar type of problem that a company has with the regulator, suddenly the budgets for privacy and investing in privacy technology seem to be unlimited.

[09:10] Right? I have seen this many times when there is an issue, when there is problem, then there is willingness, motivation, money and urgency to invest in privacy technology and actually start doing data protection the right way until there isn't and efficiency from the regulator.

[09:37] And if you think about it, so the regulation and the laws are pretty good. I, I think we can argue around it, look into the details, but the laws are very similar around the globe.

[09:52] There's a lot of copy pasted GDPR out there and the only ones who are actually making sure that these laws are being implemented and the companies are actually protecting personal data are the regulators.

[10:08] And typically there is one data protection authority per country and often they are understaffed.

[10:16] And what is most surprising to me, most of the regulators are still doing the supervisory authority audits and inspections manually.

[10:28] They're actually, they will come to the company, they will sit with the people in the company and they will ask questions and write their reports. But there isn't any efficient technology that they actually do to check for compliance.

[10:44] And one of the things that, that we are doing today is we are working with several regulators.

[10:53] I mean our vision was always to protect people, innovation and data. And I believe one of the most efficient ways in which we can use our technology because we've been working on privacy enhancing technologies for almost eight years now, is also to help the regulators because from an individual standpoint, they are the only ones actually protecting you.

[11:19] Debbie Reynolds: That's very cool. Well, tell me a bit about Data Privacy Manager and how that tool works.

[11:26] Marijan Bracic: Sure.

[11:27] At legit Data Privacy Manager is actually our flagship product. This is a software platform for privacy automation and privacy governance.

[11:38] And we have four different products within Data Privacy Manager. The first one is the Data discovery, classification and personal data Search. That's one group of products. Then we have the Privacy program Management, then consent mastering and finally data removal, orchestration.

[12:00] And being a company coming from Croatia, we, we had, I think a little different history than if you would compare us to, to the competition mostly in the US we always had to be cost effective.

[12:14] Everything we did was bootstrapped.

[12:17] So we created a cost effective solution, AI powered solution, customer oriented, modular platform for privacy automation and governance. And I think what is unique when you think about Data Privacy Manager is the way in which we use AI mostly deep learning and machine learning models to do personal data discovery and classification across both structured and unstructured data sources.

[12:50] And it works in any language and any script.

[12:54] Also what we have is we never went out to purchase other technology. So everything we do is proprietary. And we didn't piece together separate technologies. Instead we have designed a modular platform which has kind of a Lego like design so our customers can always think big and start small.

[13:19] And one other thing that we do, and I really haven't seen that problem being solved anywhere else, is the automation of data removal. And when I say data removal, I mean either deletion or anonymization of personal data once companies lose business and legal justification for processing of data.

[13:42] So it's a hard problem to tackle, but I really haven't seen a lot of other technologies that do this besides us.

[13:51] Debbie Reynolds: I'm glad you said that because that's the question I want to Ask you coming up next, because data deletion to me is the hardest problem that companies have. And the reason I want your thoughts, the reason why I think it's hard is a couple of things.

[14:08] One is that software is typically made to remember data and not to forget it. And also companies are fearful about deleting something that they think is important. Right. So they have so much data, they have so much junk, really.

[14:26] And so they, if they're not classifying their data, they don't know what it is. It makes it harder for them to separate themselves from this information and then also duplication.

[14:38] So the data is duplicated so many times within organizations, it just complicates deletion. So what's your thoughts?

[14:47] Marijan Bracic: Yeah, I agree. I think this is one of the hardest problems to tackle, especially if you think from technical perspective, because there are so many different systems, be it databases or applications or document stores.

[15:01] Yeah. Also so many, you know, documents containing personal data are being duplicated and scattered all across the data landscape.

[15:09] And we've seen this problem when we started initially speaking with big insurance companies in Europe because for some reason they were the first one to fill the risk. If you have a data breach, that's bad.

[15:25] But if you have so many data that you already needed to delete or anonymize in some way, it gets even worse. It multiplies.

[15:34] We created a concept of actually understanding which data objects are in the retention period. What are the rules globally, the rules around retention periods, how long the company must keep specific data, or how long the company is allowed to keep specific data.

[15:56] And once you get a handle of the rules and which data you are not allowed to process anymore, then you can start building what we call a data removal schedule.

[16:07] And then sometimes you can delete data, sometimes you cannot delete data for technical reasons, especially if you think like databases and data that you store there, and even for reporting purposes, for other regulatory reports where, where you're not allowed to delete data from the databases, then you need to either mask data or encrypt portions of the data, the identifiers mostly.

[16:33] So we have built this concept around data removal and there is a reason why we call it data remove. Because sometimes it's deletion, sometimes it's anonymization.

[16:44] It was difficult and it's always technically the most complex solution to implement. However, there isn't an excuse for companies not to do it. Because really, if you think about data minimization principle, and if you think about the risks that come with exposing data that you shouldn't have.

[17:06] It's a must for companies.

[17:08] So this stage we are seeing more and more companies invest in this. And it really comes as a cherry on top. If you are building a robust privacy program, you will typically start with other stuff like, you know, building your records of processing activities, understanding what you do with data, doing data discovery and classification, understanding the data landscape, managing consents, managing cookies.

[17:32] But at the end, you gotta start thinking about how to remove excess data.

[17:39] Debbie Reynolds: Let's talk about artificial intelligence and how this complicates things for companies. So I think part of the complication that AI brings is that it brings more complexity to organizations in terms of how they're using data.

[17:55] And sometimes they don't have the level of visibility that they need to have about how they're handling data. So I think that just becomes an extra issue that companies need to think about.

[18:06] But what are your thoughts?

[18:08] Marijan Bracic: Well, I think the rise of AI today is really fascinating and it's going to make our life.

[18:18] I don't know if it's going to be much better, but it's going to be different than today. Everything's going to change in the next few years. It comes with a lot of risks and with a lot of ethical problems around potential bias around copyright challenges.

[18:39] And even with personal data and privacy, we had a wave of companies becoming so good in collecting data. And I've seen companies being so good and understanding everything we do, who we hang out with, where we are, what we think and so on.

[18:58] And then there was this wave of privacy regulation which kind of paused it for a minute there because suddenly companies became aware of the risks of having access data. But now with AI again, we are seeing a wave of all the different services and applications and models using AI.

[19:23] And if you think about it, 90% of the development cycle of anything AI related is revolving around collecting data for training and testing AI. And it really, again, poses a big challenge also from, from privacy perspective.

[19:43] But privacy is not the only issue we have from the ethical standpoint when it comes to developing AI. I think with the wave of AI regulation coming, like the EU AI act here, we're also going to see a lot of rules and potential fines that companies need to think of.

[20:05] And it's time to also think about the proper governance of the AI technologies, not only developing, but also using commercially available AI services.

[20:17] And we are just, I think, entering the period and era of us tackling that problem.

[20:26] One of the things that is not going to go away is protecting personal data and building robust privacy programs. Because it's also going to be a baseline for ethical use of AI.

[20:42] Debbie Reynolds: Yep.

[20:44] So what's happening in the world right now that concerns you in the privacy or data protection area? Something that you see, you're like, wow, this is concerning or I don't like this development.

[20:58] What do you think?

[20:59] Marijan Bracic: So I did mention before the inefficiency of the supervisory authorities of the data protection authorities. I, for me that's actually one of the biggest problems because we all know what should be done, but what organizations are actually doing pretty much depends on the regulators.

[21:19] I think if I would have to choose one thing, that would be what I would choose. And where we are also focusing our efforts now and really helping the regulators become more efficient is gonna in a way help companies find the motivation and the budget for doing privacy the right way and for investing in privacy enhancing technologies like our Data Privacy Manager.

[21:46] I think that's one key area where we want to focus our efforts on. Besides that, I think like we mentioned, with the rise of AI there comes a lot of other risks for data protection and privacy.

[22:02] And this would be, from my, my point of view, the, the most important trends that we are seeing at this point.

[22:10] Debbie Reynolds: I think that concern about what regulators or supervisory authorities are doing is very concerning to all of us. I think in the US we're more concerned about just getting regulation or legis in place as opposed to having these example lawsuits or different things.

[22:31] And so it makes the landscape a lot more complicated.

[22:36] But I agree with you and I want your thoughts. I feel like because the volumes of data are so massive and it's almost impossible to do this work manually where people thought they could do it manually before.

[22:54] I just don't think it's possible to do it in any efficient way without adding some level automation. What do you think?

[23:02] Marijan Bracic: I agree with you completely. I think for most of the companies today, nothing can be done manually anymore, especially if you think about the volumes of data they're handling.

[23:14] And so we have recently seen a lot of questions coming from the companies in relation to the unstructured data that they have. Like all the documents that companies handle and we have seen like petabytes of documents that they have stored in their DMS systems.

[23:36] And it's really what we call dark data because for most of the structured data sources like databases and applications, you would think that companies really can handle that and they have control over what kind of data they are processing, how they are protecting it.

[23:55] And in most cases you would be right. But for unstructured data, it's like this pool of uncontrolled, you know, uncontrolled files of documents, digital documents, like either scanned documents or, you know, different types of documents, images, Word documents, PDFs, textual files, video files, audio files, and no one really knows what's there.

[24:21] And this is one of the reason why it really made sense for us when we were building the AI powered data discovery and classification to include both the structured and unstructured data and in a way to connect it and combine it and give one central dashboard, one console for the company where they can have control of both the documents, applications and the databases.

[24:46] And also there is one very simple problem.

[24:52] How do we find all data belonging to one individual in all the structured and unstructured data? And I think we are one of the rare companies that can provide a very simple solution for that.

[25:07] Because when we are doing the scanning of all the data sources, when we are discovering where personal data resides, and when we are doing the classification and actually labeling different data sources with different data domains, data types and data categories, we are actually indexing the data in a way that the companies can do really fast search.

[25:30] And if they are searching for Debbie Reynolds, they will find all the places and all the locations where your data is, be it structured data sources or unstructured data sources like scanned documents or images, for example.

[25:45] Debbie Reynolds: Let's talk a little bit about unstructured data for a second. And so for data people like me, I understand this very well. And I actually did an article in my newsletter about this because sometimes you have companies that say, oh, I have a data map and here's all of our applications.

[26:03] And it's like the majority of data that companies have are not in applications, their structure, right? So it's basically the sea of documents that a lot of times people don't know who owns it, was there, how long it's been there, whether it's important or not, it's obviously a lot of times duplicated.

[26:21] We see companies like, for example, let's say they have data in a database. People may export that information, or maybe they had it in a form where they're going to import it, but they never deleted it.

[26:32] So unstructured data is a huge problem and a huge risk. And actually, from a cybersecurity perspective, we see a lot of cyber criminals. They love unstructured data because they can just grab as much as possible.

[26:46] And then they're very good at sorting through this stuff and finding the gems that are there.

[26:52] Marijan Bracic: They have time to do it.

[26:55] Debbie Reynolds: What do you think?

[26:56] Marijan Bracic: Well, I will agree with you. And I know when I'm speaking with, I won't be so mean to call them whistleblowers. I'll call them data engineers. And when you ask them, where do you keep all the personal data within the company?

[27:14] And they will have, we really don't have a clue. And it really is like that for structured data. It's kind of easier.

[27:23] Sometimes they can rely on metadata.

[27:26] We don't. We actually scan the data. And because, you know, there can be a difference between what they think they have in a column in a table in the database versus what they really have there.

[27:39] But for unstructured data, they most of the time really don't have a clue. They don't even know where to start searching for specific data when they are thinking about documents and document stores.

[27:55] Debbie Reynolds: I think what you just said, you hit the nail on the head. So what you just said is very important. Where some tools, they only search the metadata and metadata can be very inaccurate.

[28:05] Right. So if I take a, let's say I take a file and I duplicate it today, it'll says, oh, Debbie wrote this document, or it was just created today. Or you may not be able to find those other documents without looking more deeply into the actual data.

[28:20] Marijan Bracic: You know, Debbie, I was for a long time working in data management, including the metadata management lineage and stuff like that. I never believe data set.

[28:32] Debbie Reynolds: No, me either.

[28:33] Marijan Bracic: Not anymore.

[28:34] Debbie Reynolds: I agree. We were like, oh, that's trash. Like, we would throw out the creation date. The author. The author was typically the first person who created the document. Right. So if you duplicated it, that same author would be in there.

[28:48] So it's really not accurate.

[28:50] Marijan Bracic: But what is the solution to the problem, and this is how we approach it, is never trust metadata. Always, always scan the data. And it is kind of a longer process, but it's the only process where you can actually trust the results.

[29:10] And this is how we do it. And we've worked a lot and invested in making the process more efficient, faster. And this is actually where a lot of our efforts when building the solution went into actually making the data scans foster.

[29:27] Debbie Reynolds: So in terms of the deletion, in terms of what you do with the data at the end of the data life cycle, you know, how, how do you help companies do that actual process?

[29:41] Where I feel like some tools, they're like, they may point you in the right direction, but not actually help you take action on following that process all the way through to the end.

[29:52] Marijan Bracic: Yeah. So when you think about data removal, that's how we Call it, you need to understand a few things. You need to understand the business process because like think of a bank, if they have like line of credit products, like loans, if they have a line of debit products, they also can have personal data that belongs to the, you know, point of sale transactions or employee management.

[30:22] And when you are building a data removal automation process, you always have to take into account how the business process works, where the data is stored in relation to a specific business process, what are the dependencies between data and between systems.

[30:42] And on top of this you need to take into account what are the specific retention rules. And they differ between industries and between countries. And once you have all of that in place, then you can start actually building an automated process around understanding which data objects need to be removed, at which point and why.

[31:07] And then we can actually start orchestrating because we know where the data resides, what are the dependencies, and in a way then we understand what is the order of actually removing data from different systems.

[31:22] Now it's not as complicated as it sounds, but for technical reasons and we have seen customers with like 200 different systems which are in the scope of data removal. It, it is not easy.

[31:38] And also when you think about it, what we are doing is actually removing productional data. And that's, that doesn't sound good when you think about it. But this is what you need to do.

[31:51] So you really have to be careful when designing this type of, this type of processes.

[31:57] Debbie Reynolds: So many privacy or data protection regulations are saying that you should remove data, certain data about people that's personally identifiable, after your purpose has expired. Right? And so to me this has probably been one of the most frustrating parts of the regulatory landscape for companies because a lot of times they never really, they never tied their data management or their, the data life cycle to a purpose.

[32:31] So how do you help companies manage that process?

[32:35] Marijan Bracic: So one thing is that, you know, the data protection regulation is non prescriptive when it comes to understanding how long you need to keep data.

[32:44] And if you just say that as long as you have the purpose for processing, it doesn't mean anything to the people actually managing the systems.

[32:54] So what you need to understand is specific regulations, specific laws tied to your industry because they are the ones who specify how long you should keep specific categories of data.

[33:07] And what we do is we have a global knowledge base of the retention rules.

[33:13] We have a data inventory which is more like technical perspective and asset perspective on where the data resides. And then we have the regulatory or business perspective, including the data processing inventory, which has information about the records of processing activities and the purposes and the lawful basis.

[33:33] So when you tie all of that together, and remember I said we have designed our software solution to be like a Lego design where you can connect all these different Legos, the modules that we have, and it really then provides you with information and perspective on how is specific data asset connected to a purpose, what are the retention rules, and then we can actually build the data removal flows and automate data removal in a proper way.

[34:05] Debbie Reynolds: So, Marianne, if it were the world according to you, and we did everything that you said, what would be your wish for data privacy or data protection anywhere in the world, whether that be regulation, human behavior or technology?

[34:20] Marijan Bracic: Well, my wish would be, and this is very selfish wish because I'm not thinking about it from business perspective, I'm thinking about it as a human being and as an individual.

[34:34] I would really like our privacy to be respected as one of the fundamental human rights. And in practice, what I think how that should be done is that companies and people in charge should always think about data that they collect as it was their children's data.

[34:57] Because if you put it in that perspective, no one will actually purposefully expose their children's data, like where their children are, what they do, what they think, and so on.

[35:13] So I would like everybody to treat personal data as it was their children's personal data. I think that would make everything much better and also much easier because it puts things into perspective.

[35:27] Debbie Reynolds: I never heard anyone say that, but I agree, I agree with that. Because sometimes people say, well, I don't mind if someone does something with my data, my personal data, right?

[35:39] But then if you say, well, what about your kid? And they're like, oh my goodness, no, no, people can't have that. So putting it in that perspective, I think is really good.

[35:49] Marijan Bracic: For me, that always worked because often people who are not so much into privacy ask me, so how do we even try to understand what we as a company should do with personal data?

[36:01] Because data protection is so complicated. And I say it really isn't. Just try to think as the data you have is your children's data and then try to do anything you can to protect it.

[36:13] It's that simple. In the end.

[36:17] Debbie Reynolds: This is great. Thank you so much for being on the show. Let people know how they can reach out to you and contact you. And also let me know, what are you up to?

[36:25] What are you guys doing next?

[36:28] Marijan Bracic: So what we are doing next is we are a fast growing company and at this point, what we are trying to do is, you know, scale the business and win over new markets.

[36:40] And currently we are seeing really a lot of activities in the Middle east region and we are very focused on positioning Data Privacy Manager there and helping our customers in the Middle east region.

[36:56] We are seeing the Saudi Arabia as being currently the leader in the area as they have the new law being enforced very recently now. So we have a lot of new customers coming from Saudi, but also the UAE and Oman and Kuwait are countries where we see also a lot of activities.

[37:21] And I think it's also interesting that their perspective is a little bit different than what I would say I've seen in the so called Western countries is they are starting by using privacy technology from start.

[37:38] So they are not doing just the paper based compliance. I think maybe that's also lessons learned from Europe and the US and we are planning to be on the LEAP Summit in Riyadh now in February.

[37:53] And it's amazing.

[37:55] I believe there's like 170,000 people coming to the conference. It's one of the biggest IT conferences in the world. So whoever is going to be there, they will be able to find us there.

[38:08] And also we're going to be exhibiting in Jasec in Dubai in April, which is also a conference but focused purely on cyber security. And it's also huge. It's, I think around 25,000 people visiting the conference.

[38:24] People can reach out to us. Our website is Legiteu. We also have a product page, data privacymanager.net

[38:34] I think they will be able to find my contact in the details of the podcast as well. So I encourage everybody who wants to talk about Privacy, Data Privacy Manager and what we do at Legit to feel free to reach out and I'm always happy to talk about this stuff.

[38:51] Debbie Reynolds: Yeah, thank you so much. Well, Middle east actually is very fascinating in terms of how they do their regulation and how it's very different than we, than we do it in Europe and even in the US in different places.

[39:05] So that'll be really cool. Well, thank you so much. It's great to have you on the show. This has been fascinating. Thank you so much for sharing and we'll talk soon.

[39:14] Marijan Bracic: Thank you, Debbie. It's been a pleasure. Thank you. And also to all your listeners and I hope to talk to you again soon. Perfect.

[39:22] Debbie Reynolds: Thank you so much. Bye bye.

[39:24] Marijan Bracic: Bye.

[39:37] Debbie Reynolds: It.