E91 - Gal Ringel, Co-Founder & CEO, Mine, Israel

Thank you to our sponsor today Mine PrivacyOps. They are featured in major publications, including Intel Ignite Business, Insider VentureBeat and Fast Company. They're the first platform dedicated to handling Data Privacy operations while placing customer and user experience at the center. They've been rated number one by G2, the leading business software services review platform for Data Privacy management software, DSAR Software, and Sensitive Data Discovered. We have a special Data Diva exclusive that Mine PrivacyOps has given to "The Data Diva" listeners. Anyone or any organization that would like to use their Data Privacy management solution will receive a 20% discount on DSAR data mapping and ROPA modules. So to get this discount, contact Mine PrivacyOps at their support team and add DataDiva 20 to the subject. These Data Diva exclusives and this information will be available in the podcast show notes. It will be available in our monthly Data Privacy advantage newsletter, and I will also add this information to the podcast transcript, which will be posted on https://www.debbiereynoldsconsulting.com/. So to find more about Mine PrivacyOps visit their website https://www.saymine.com. Enjoy the show.

SUMMARY KEYWORDS

companies, privacy, data, privacy regulations, people, organization, individuals, employees, requests, consumer, mapping, saas, systems, solve, teams, thought, shadow, problem, service, implementation

SPEAKERS

Debbie Reynolds, Gal Ringel

41 minutes

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show. I have Gal Ringel, the CEO, and co-founder of MINE PrivacyOps. He's from Israel. Welcome.

Gal Ringel  00:43

Hi, Debbie. Thank you for having me.

Debbie Reynolds  00:46

Yeah, this is fun. This is a combination of we're going full circle now. So I would love for you to tell the story about how we met many years ago and your journey with me in terms of what you're doing now. At the time that you started, I knew that you were a consumer product. Now you're a business-to-business product. But before we get started, I would love for you to tell people about your journey into privacy, why this is such a passion project for you, and tell us about MINE PrivacyOps.

Gal Ringel  01:20

Sure. So feel free to stop me at any time if I talk too much. So hi, everyone. I'm Gal Ringel, the co-founder, and CEO at MINE. And my journey into the privacy space actually started on the security side. So I was dealing with cybersecurity for more than 12 years, even 15 years to date, sorry. And I always was part of the security side from the company's point of view. So how can companies really protect themselves from the different sides, or how they can think about protecting themselves from the often offensive side. And essentially, when we wanted to start MINE, there were three co-founders. We thought, okay, how can we bring something new to the Internet? And how can we do something about security and privacy, but for individuals rather than companies, and the three of us come from a deep cyber security background and really understand personal data? And four years ago, when we saw the GDPR coming to life, we thought, hey, it's going to change the Internet, for the good and the bad for companies. And today, other privacy regulations have brought a lot of accountability and responsibility, right? Over personal data. So companies have to think twice and be more thoughtful when they deal with personal data. But individuals are given rights. And unfortunately, most individuals, when GDPR just launched into the world, didn't really know about these rights, all they knew were these cookie banners everywhere jumping on all the websites, but they didn't know they can go to any company and ask for a copy of their data or even exercise the right to be forgotten. So what we wanted to do was to solve two pains. The first pain is to add transparency to our digital interactions online. So anytime when we sign up for a new service, anytime when we purchase something, anytime that we travel, we have to give our personal data, right? We click hide, click I agree. How do you feel when you have to click, I agree?

Debbie Reynolds  03:44

For me personally, yeah. Kind of annoyed by it. Because a lot of times, the cookie banners, they are just like agree or other options. It's not like agree or disagree. So, unfortunately, they know a lot of companies know that you don't have a lot of time to read every single cookie banner before you click. So for me, I think having that transparency and choice is key.

Gal Ringel  04:12

Yeah, and many other people are like you; they don't want to read privacy policies, right? They just want to get done with that click, I agree, and get the value that they want and continue with their lives. So we wanted to add transparency around that. So to say, hey, the Internet is an amazing place, go and have fun, enjoy the Internet, do whatever you want. But we will be with you through that journey and show you what is being collected about you during that digital interaction. So again, sign up for purchase, booking, previous employment, whatever. So this is the first thing that we wanted to solve, to know which companies have what about us and to also get a deep understanding about what they keep about us and how that exposes me as an individual in terms of online risks like identity theft, reputation, damage, financial loss, etc. And as you know, every day, there's a new data breach, right, and new privacy scandals. And at the end of the day, we, the individuals, are paying the price because our data then gets stolen, leaked out, and used against us in many, many different forms. So we wanted to add transparency around that. And then the second thing we wanted to solve was choice. So to make privacy regulations accessible to individuals, where you can have the choice to decide what you want to do with your data, you want to get a copy, you want to delete, any sort of action that you want to take. It should be our choice. So this is what we did, we launched that product to the market two and a half years ago, and it was a big success. So to date, we have more than 1.8 million users globally; it started with GDPR. And now we are doing all kinds of other different regulations. In five US states, India, Japan, Australia, New Zealand, Canada, Argentina, and Brazil, it's growing. And to date, we saved more than 300,000 individuals from a data breach because they used our service to discover their digital footprint. And essentially, we help them remove their data from companies when they are no longer using their services. So it's really about measuring the cost versus value. And letting you know, if you're still using some companies, leave your data there no problem if you get value, right, so you enjoy it. And if you are not, that means redundant risk to your life, and these companies keep your data for no reason; you don't enjoy it, right. So there is no reason why you should leave your data there. So we help you monitor that. So in 30 seconds, we can show you that list, you can click on each company, and you can see more information. And then, if you would like, you can start exercising your rights. So this is what we started doing as a company. And as you mentioned, today, MINE has PrivacyOps. And last year, we started helping companies as well, because companies literally came to us saying, hey MINE, we got requests from your users, all kinds of different privacy requests. And we really love your product. We even used it as individuals, which is very nice to see, data protection officers and privacy professionals working for companies using our consumer app to take care of their personal data online. So they came to us saying, hey, MINE, handling different privacy operation tasks is hard, it's challenging. Please help us. I mean, we need some help. And at first, we said, hey, there are other b2b vendors out there, right? Probably most of the b2b vendors that are helping companies achieve different privacy tasks. So we literally sent these companies to these vendors, and we said, hey, this vendor can help you do that. And that vendor can help you do this like we literally try to help these companies by sending them to different vendors. But then they came back and told us that these vendors don't really solve the problems. And essentially, the four main problems that companies have shared with us around that is automation. So they shared with us that usually, privacy teams don't have a lot of resources; it's usually one or two people within the team, right? So they don't have a lot of resources to deal with privacy operations. So they really wanted automation. And then, the second thing they wanted was a no-code approach; they didn't want any engineering or changing the priority of the engineering time. So they wanted something that works out of the box. And then the third point was implementation time. So when it comes to privacy, I'd love to hear your thoughts about that. Our number the thing, right, is you want to show our results from our privacy program quite fast, right? Because privacy is a brand necessity. You want to show your customers that you value privacy and that you actually help them. So they wanted a quick implementation time. While a lot of the vendors out there have a very long implementation time. So this is what we heard. And yeah, we decided to help companies as well. We followed the needs of the market. And today, our company vision is to serve both individuals and companies around anything related to privacy and compliance operations. So for consumers, we help them online by identifying the companies that have their data, learning about the risk, and if they want to start removing their data. And for companies, we help in daily privacy operations like handling raw power reports, PII  privacy, impact assessment, data mapping, consent management, and anything that organizations are doing in the day-to-day, and for me, it's very exciting because we are able to be on both sides, right, to help both companies and consumers and really create the right solution that works for both of them.

Debbie Reynolds  10:35

Yeah, excellent. Excellent. So well, this is interesting, and I love the story. Because I think some people, especially in the b2b space, it's like, let's just build something, and they help people buy it, where people came to you with their specific needs, and you're able to listen to them and build something that really works for them. I would love to talk a little bit about the implementation part. So once you get past the sales pitch and all that other type of stuff, the implementation part is really the hard part to bridge between what people think they're going to get and what they actually receive in terms of service after the implementation is done, so tell me a little bit about how your implementation path is different and what customers seem to like about it.

Gal Ringel  11:32

So essentially, the first thing that we gave to companies is privacy request handling. And so as you know, organizations that are consumer-facing, I would say like eCommerce, FinTech, consumer apps, they get a lot of privacy requests can be data deletions, the right to be forgotten, it can be Data Access Requests to get a copy of the information, if it's around the CCPA, it can be do not sell. So companies receive a lot of privacy requests. So there is a large volume. Now, for companies that don't have any automation in place, it can be very challenging to handle these privacy requests, right? Because usually, as we see it, and this is after interviewing more than 1000 companies and hearing their trends, before we built our product, right, just to understand, what do we need to build in? What are the pains? So they told us that usually, three people within the organization, three different people are, helping the processing of privacy requests there, our support people that usually sit on the privacy inbox and get all the privacy requests, and go through them, then there are legal people, usually, the GC or the chief privacy officer, or the Data Protection Officer or someone from his team, that are processing these requests to make sure that are related to different privacy regulations, there are no other regulations that contradict, etc. And then there is the r&d, that needs to go to all of the data sources within the company, whether it's a database, or SAAS, like your email, marketing, your CRM, and literally delete the data or fetch it, if it's a Data Access Request. Now, think that organization has to invest that time in 100 requests a month, 1000 requests a month. It's really challenging, right? It's time-consuming. I think that even Gartner tried to quantify how much it costs for the organization to deal with one single DSR. And it was $1,600 for one single request, which is crazy. So to your question, how do we solve it? We implemented hundreds of API's to all of the known systems that you as a company can keep PII in. So when a new privacy request comes in to the organization, with one click, we are able to shoot API calls to all of the places and execute the request. So if it's a data deletion, we can literally delete the data or anonymize it. By the way, a lot of companies came to us and said, hey, we don't want to delete data. We want to anonymize the data because then it wouldn't hurt any of the current reports or other systems that rely on different records. So we can either delete or anonymize in an automated way. We can, if it's a Data Access Request, we can fetch the data and prepare it in a nice report where the individual can then scan the data and see whether it fits their needs. So we can do all of that automatically. With one click, you can shoot these API calls. And with another quick click, you can also reply to the user with the right response, whether it's, hey, we've deleted your data, that would be our last email or whether it's, hey, this is your data. If you have any questions, please reach out. So we can do all of that in an automated way. So instead of companies having to spend endless hours with different people, one person can really automate that. And the implementation is very fast because it's all based on API's. So to plug in a new API, it's also three clicks. So just to put it in perspective, our fastest implementation time that we have had so far, and we have dozens of customers already. We're 25 minutes for 50 data integrations. So literally, in 25 minutes, they connected 50 data integrations, and we're live operating.

Debbie Reynolds  16:01

Wow, that's amazing. That's amazing. Tell me a little bit about the proactive side of privacy. So I think probably more companies than less, I feel, are unorganized. So they don't know where data is; they can't even tell you where these 50 systems are. So tell me about what you do when working with those companies because I feel like there's a lot of proactive stuff that you can do with companies with your products.

Gal Ringel  16:37

Great question. So after we solved the DSR handling in a pretty good automated way, companies came to us, our customers, and said exactly what you just said, like, hey, MINE, we have a bigger problem. We don't know where our data is. And then we started asking questions, what do you mean? I mean, can you share a little bit about how you onboard a new vendor and how different teams are interacting with new vendors? And then we realized the sad reality that a lot of the companies, and I don't know if you heard that from your experience as well, a lot of the companies are doing data mapping in a spreadsheet.

Debbie Reynolds  17:18

That's right. That's all true.

Gal Ringel  17:23

Okay, so we were amazed to hear that, again, we go to the b2b side, from the consumer side. So we didn't know all the challenges at the company level, where and when they told us that, we were amazed because doing data mapping manually with spreadsheets it's very time-consuming. You have to rely on human memory, which is a problem, right? We can't really remember everything. What if people leave the company and new people join? It's a mess. And then, we also researched and realized that the manual data mapping approach only has a coverage of 30% of the known systems in the company. So you have around 70%, which are unknown. We even call it a shadow IT, right? No thinking about the company; it's scary, right? Because there are systems that no one knows about that have PII, some of that PII can be very sensitive, and no one knows about it. It's crazy. So then we thought, how can we solve that, and we took the same consumer technology that we've already developed, and through the employee's emails, in a nonintuitive approach, we were able to build a whole map of the entire data sources that are being used in the company, whether it's a database over SAAS, in a few minutes. So two weeks ago, we onboarded a customer with 3500 employees, and we did a data mapping exercise on the entire organization in seven minutes, which is crazy. He got a list of all the data sources, all the systems, and exactly what he keeps in each one of them. And he was amazed to see the results because when they managed their current data inventory, when they did the data mapping exercise manually in the current data inventory, they had around 120 systems, known systems right, and we when we did our own scanning, we identified around 340 systems which is crazy. So we thought we found a lot of systems that were all used in the past that were still containing sensitive information. For example, in marketing teams that check different systems, in the sales team, they change the CRM, or recording system or things like that. So we were able to find a lot of old systems and really help the company clean everything. But more than that, they could get a real-time and accurate view of almost 100% of the systems that are being used in the company. And then doing activities like ROPA was much easier because we showed them all the systems and the data. And then we also give a different view of that to say ROPA, so you can see an automated view of all the purchasing activities and start managing everything with a huge head start. So this is something that companies really liked because it really helped them to make sure that they do data mapping accurately, whether it's in the cloud or not, and then to maintain a ROPA in an easier way.

Debbie Reynolds  21:02

Excellent. I think a lot of companies go about this process. So, the ROPA process, the data mapping process backward. So they create, like a policy or a chart or thing in Excel, they go out and talk to people,  create a paper record of things. And then they try to see where the technology matches up with what they say. But really, your approach, I think, is the best because they're saying let's start with the empirical knowledge of what's actually there. And then build our program around what's there, because I feel like a lot of companies get overwhelmed with privacy regulations, where for example, not every regulation applies to them, not every company has to do a ROPA, or not every company has the same risk level. So being able to figure out what's actually within the organization is really key. And then one thing that you touched upon is a lot of cyber people are always pulling their hair out about is shadow IT because I think people don't know what applications are running within their organization. And they also often don't realize what personally identifiable information is in these systems. What are your thoughts?

Gal Ringel  22:25

So yeah, so again, coming from the security side, I know that shadow IT is a big issue, again, because I work for big companies like Verizon, for example. The telco, which at the time that I worked for them, was the 11th largest company in the Fortune 50. So a big company had a security policy that they enforce; you can really sign up for any service without someone from security or procurement helping you. But that really hurt the experience of the employees. It's very hard to do your job when you can't really interact with services online. So and this is what we understood when it comes to privacy, both on the consumer and both on the company level; if you really wanted to protect privacy, like really wanted, you had to put fences around either the employees or the individuals. And these fences were essentially blocking them from doing all kinds of daily Internet activities to test a new service, sign up for a new service, to log into a new service. And it's a problem. So when we thought about checking in privacy from a different perspective, we thought, hey, how can we help companies be more compliant with different privacy regulations, but allowing their employees at least the freedom to operate, so we can essentially escort the company and the employees while they are doing their work, and really notifying them and alerting them on the things that mattered instead of blocking everything and then really having a user experience issue. And then, from that side, we really discover that companies that don't enforce the daily activities, like most of the companies, they have a huge shadow IT problem because companies have budgets within the team level. And then, not everything goes through procurement. And then, not all of the SAAS applications are managed by your Okta or any identity provider. So a lot of the services, the SAAS, are being left. I call it in a dark place; no one knows about it. It's like in a whole different dimension. And what about an employee who is leaving the company. If you think about shadow IT, most companies usually archive the employee email. Obviously, they are de-activating all of his permissions from the email and any other thing that is connected to the Okta, again, any other identity service. But what about all the other SAAS that that employee interacted with? No one knows about that. So we call it zombie footprints. So this is essentially accounts and data, the company's accounts that have business-sensitive information that is there forever, and no one knows about it. So our approach to shadow IT is really uncovering 100% of the data sources. And we do that in a very nice nonintrusive approach via the employee's emails. And then that can power a lot of privacy and security tasks like, again, ROPA privacy impact assessment and shadow IT, so today that technology really powers both privacy teams, but also security teams.

Debbie Reynolds  26:10

Oh, you're making me smile when I'm listening to this. That's been a huge pain point. I think for people. I know, often when I talk to companies, you know what I ask them? Okay, I've done data mapping for decades, right? So I know exactly the questions to ask and stuff like that. So you often come up with a pretty report, and a chart like this is all that we have are just like, okay, so where's everything else? Where are those back rooms, who left a company that was managing some system, and nobody knows about it? So I think being able to have technology in place where you can really find out quickly what those things are, and not really guess and not rely on the memory of people, I think it's really important. Also, one thing that you said I thought was great was the freedom to operate. So I think, traditionally, people have thought, or haven't wanted to cooperate in some ways, with a lot of privacy and security things because they feel like if I comply with these privacy regulations, or I try to be better, and cybersecurity is going to curtail me being able to function in the way that I need to. And I think that has to be solved because people need to be able to still do their jobs. But then they need to be able to do it in a way that doesn't harm the organization from a cybersecurity or privacy perspective. So tell me a little bit about that story.

Gal Ringel  27:49

Sure. So again, this is something that we thought about when we asked how we can do data mapping and shadow IT better? We thought, how can we be injected into the regular process that employees or even private security teams are having, and really feed, inject their current day-to-day with a new feed of information about what is really happening inside the company. So if you think about it, most of the PII that companies collect can reside in three places. It can be on-prem. Right? If you have databases or whatever devices, it can be in the cloud, right? So AWS, GCP, Azure, etc. And it can be external to the company in SAAS in different vendors. I think the three most common places are not going to be bizarre edge cases. But these are the three main places. So when we thought about where is the most critical pain for companies, so I think that ever since COVID-19 started, and we were all locked up for a while and had to work remotely, right? That created a new situation where the entire work has changed. We were all working from home. And that means that we are using much more external services like SAAS within the organization in order to operate. So instead of meeting in person and those things that we were used to, we're using all kinds of different apps and services to do that. So that means the number of SAAS applications that organizations have adopted ever since COVID-19 started has increased dramatically. It can be 2 to 5x the number of apps used before COVID-19. All the critical and sensitive database internal databases usually don't change too often, right? You usually choose one or even two and stick with that for the entire company life. So SAAS, we identified SAAS as the most critical area where companies need help in terms of both coverage, discovery and monitoring, and understanding of what PII is there. Let me give you one popular example, Salesforce. Everyone is using Salesforce, right? Do companies really know what PII they keep in their Salesforce? No way, right? Because it's a very customized platform. Any company can use it as they see fit, right? Any sales team can customize it. Tons of API integration and third-party integrations. So we can really come to your Salesforce and really map the entire PII that is there. And usually, most of the companies are focused on the databases, which is, it's also important, but what about all the sites so our approach was let's do a real discovery and monitoring of all the sites that you're using inside your company. And the way to get to 100% coverage was through the employee's emails because if you think about it, any new SAAS is being interacted with from your email, you need to sign up to the SAAS, you need to get a reset password, you get product updates, whatever. So we can find a trace in the employee's inbox as to the digital interaction the company had with the SAAS. And this is why we are able to scan the data organization in really a few minutes instead of doing that data mapping process manually. And that's sort of the problem. I mean, this is how we can get to 100% coverage and really give you a detailed and accurate reporting of what what you're dealing with as a company.

Debbie Reynolds  32:19

That's genius. I love that; I love it. So tell me your thoughts on privacy and why you feel like this is a really important problem that your company can help people solve.

Gal Ringel  32:37

So I think the first answer that I can give to that is the fact that we started our vision as a consumer company, right? So we started mapping pains that individuals have regarding their personal data. I think that we gave a pretty good solution so far to individuals to really get a better understanding of what happens with their data and to give them a choice to really do something about it. But now, with companies, we are discovering a lot of change. So when companies think about privacy, they think about how they can solve the problem from a law or legal perspective? Right. And the problem with that is that the solutions that exist today in the market don't really fit the individual. On the other hand, let me give you one popular example. But first, have you ever tried to exercise your rights, let's say to get a copy of your data from a company? It's difficult, right? So so, let me give you the most popular example. When I tried to get my data from companies, they asked me to provide a copy of my passport, the order ID that I placed a few years ago, if I purchased a product, or even if I booked in a hotel, what was the booking number? And a lot of questions that, as an individual, I don't really know, right? They even asked me if I wanted to exercise my GDPR or CCPA rights. Now, I'm thinking about my wife, right? She's not tech savvy. She doesn't even know about GDPR or CCPA. She just wants to gather data. So how can she know the difference between GDPR and CCPA? So what I'm trying to say is that the processes that companies have adopted over the years really solving the problem from the law perspective from the legal perspective, but there is a big gap between the solution they have built and introduced to the market to how individuals want to interact with them. So there is a big gap, and consumers are left without any solution. And essentially, what happens is that they go to social media. And they write about the company, hey, I tried to do that. And the company added a lot of burdens and made it very complicated. And this is where we understood that privacy is more than just compliance. It's more than just the law itself. It's about the company brand, right? And if companies would understand that, and would communicate and introduce a better privacy experience for their customers, even a clearer privacy policy that anyone can really read, right? This is the first step that can really help the company get points, trustworthy points, and loyalty points from the individuals. So when I think about your question, I think that the first thing that has to be solved is user experience. So to really help companies introduce a better user experience with regards to privacy to their customers, and to anyone who can be consumers or customers, to anyone who is using their services. This is the first thing that we as a company are trying to solve very nicely. And the second problem is to do automation. So we really understood that privacy, unfortunately, and I'm trying to change that, privacy teams lack resources. Unfortunately, privacy is not prioritized highly enough in the organization. And again, I'm trying to change that. For me coming from the security side, it was always easier because security always gets everything. People, resources, money, whatever. And privacy is still not. This is the sad reality. And I believe that in two to three years, it's going to change dramatically because of privacy regulations, which I think are doing good for the world. They are not perfect privacy versions are lacking a lot of things. But it's a good step. So I think automation it's very challenging for companies. And now, I totally understand that after working with hundreds of companies, I truly understand how hard it is for companies to deal with daily privacy operations. I didn't know that. And so this is why as someone who is an engineer by heart, this is my background. I know how efficiency is very important. So automation is the key for companies to really provide the first point, the better user experience. And it's really hard to provide automation. So this is why we try to break it down into different areas that we think are the most painful for companies right now.

Debbie Reynolds  37:59

That's great. Excellent. I love it. So if it were the world, according to Gal, and we did everything you said, what would be your wish for privacy anywhere in the world, whether it's technology, human stuff, or regulation? What are your thoughts?

Gal Ringel  38:15

I think that companies and individuals have to work together and have to solve the problem together; it can't be that only one side of them is trying to define the solution. Because it won't work. If individuals would try to define the solution, it would only benefit them. And if companies would define the solution, it would only benefit them, and it has to be together. Because only then privacy can really flow for each other and be really honored and executed. So this is something that I really, really strive for, and to create that bridge between companies and consumers. And this is what I really hope will happen in the next few years. And I think that the other thing that I would wish for is more resources for companies to relate to all C-levels out there. To really understand that privacy is more than just compliance. It's a brand thing that the company has to invest in. It's the idea of the company; it can help add loyalty and trust points to the brand. And I think that prioritizing privacy and allocating more resources to privacy, whether it's engineering, legal, or whatever, can really benefit the company. And we can really help companies measure the ROI they get from privacy. So we can really help companies understand that any dollar they invest in privacy, they get more in return. So again, it's the gap to bridge between individuals and companies around privacy and really try to solve the problem together. And then for the C-levels out there, to allocate more resources to the privacy team to enable them to do their job better.

Debbie Reynolds  40:18

Yes, that's amazing. Thank you so much for that. So, thank you for being on the show. I'm happy. You know, I'm really excited to see your journey, and I think you're spot on. I think you've hit the nail on the head in terms of what the pain points are that organizations have and the types of help that companies desperately need in this area. So thank you so much.

Gal Ringel  40:47

Thank you so much for having me.

Debbie Reynolds  40:50

This is great. We'll talk soon. Bye bye.

Previous
Previous

E92 - Bianca Lopes, Identity & Access Advocate for Humanity, Co-Founder, Talle

Next
Next

E90 - John H. Sudduth, Chief Information Officer, Metropolitan Water Reclamation District of Greater Chicago