Crispen Maung is the Chief Compliance Officer at Box, since May 2018. He works as Box' Vice President of Compliance since 2015, and as its Senior Director of Compliance since before that. With Box he has developed and implemented a Global Data Protection framework that enables and facilitates Box customers to comply with their international data protection obligations such as GDPR.
As an experienced Enterprise Cloud Computing Data Protection and Compliance professional he also advises a number of Enterprise Cloud Computing companies and international regulatory organizations in regards to cloud computing strategies for effective data protection.
Crispen Maung on best practice steps, video by Box.
Crispen's CV includes stints at Salesforce.com (Senior Director of Technology Compliance, 2006 through 2013), PayPal (Senior Program Manager, 2006), Oracle (Principal Program Manager, 2003 – 2005) and Apple Computer (Senior Manager Internal Audit, 1998 – 2002).
Could you please elaborate on your role as Chief Compliance Officer at Box, Inc? What challenges do you typically deal with?
My role at Box is interesting: Box is one of the few companies that I have worked for where Security and Compliance are recognized as fundamentally critical to the business. That philosophy makes it significantly easier to get things done. Everything we do at Box is focused on ensuring that we deliver the leading Cloud Content Management (CCM) solution to our customers that meets multiple, and often complex, compliance obligations.
Is there anything unique to the Box compliance process that you could share? What’s Box’s data protection mission?
I hinted at it in my previous answer: where Compliance and Security sit within the organization, even as mutually independent functions they are closely integrated with each other, and to the operational and engineering functions of the business. We are maniacal about driving protection for our customers' data and making the customer successful in their use of a CCM solution that meets their regulatory requirements.
SaaS providers should consider themselves an extension of their customer and provide the same level of openness that the customer would have if they were running their own infrastructure and application stack.
There’s been a lot of scare mongering around the regulation. Talking to business customers in the US I feel a lot of that could be attributed to the the difference in cultural interpretation of the law.
I think there has been a significant amount of “scare mongering”. It is a blunt but often effective instrument in making companies pay attention to the fact that they have a lot of data that is very, very sensitive and need to have an effective data protection program built around that data. They need to treat customer data with respect because they don’t own it.
In regards to the different interpretations of the law, I think you are absolutely correct, each country is culturally different and therefore interprets the regulation through their own cultural lens, in turn, this makes the design and deployment of a global data protection program challenging.
Finally, we come onto the fines. I think the fines will be proportional and a last resort, however I do think “naming and shaming” may be the primary tool of choice along with the fines, but “naming and shaming” by itself is also a very big stick.
We all have heard of companies shutting down their European business or restricting European visitors from visiting their publications (Los Angeles Times, Chicago Tribune, Instapaper, …). What is your opinion about this?
Every organisation is different and will have unique needs and obligations. Some companies evidently believe that to mitigate risk the best option is to shut EU access or restrict EU access to the services. The fundamental issue here is that companies must take the business of data protection extremely seriously - and that doesn't matter where in the world you're based.
The fines will be proportional and a last resort, however “naming and shaming” by itself is also a very big stick.
Now that the deadline has passed, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves? Or will (high profile) warnings and fines trigger waves of self-auditing?
All companies need to ensure that they remain compliant: it's the right thing to do. Every company that uses personal data has a fiduciary responsibility -- to the individual whose data they are holding or using in the provision of services or products -- this responsibility extends beyond the “data controller” through to the “data processors” and so on through the chain of organizations that may support the “data controller”. Self auditing must be in place at some level, however automation may provide some relief with the inevitable costs associated with self-auditing.
You advise Enterprise Cloud Computing companies and international regulatory organizations in regards to cloud computing strategies for effective data protection. How does the cloud differ in the challenges it presents?
Moving to the cloud is an effective strategy for most companies, however, the biggest challenge for companies moving to the cloud - from a compliance perspective - is transparency into cloud providers. I routinely ask myself if we are doing enough, and what we can do to be even more transparent. SaaS providers should consider themselves as an extension of their customer and should provide the same level of openness that the customer would have if they were running their own infrastructure and application stack.
You have one impressive CV. Your professional interest seems to be with compliance and internal audit. What fuels your enthusiasm for the topic?
I think it boils down to a personality type that challenges the “status quo” and looks for new ways to drive organizations forward and to be better than they currently are. That's what really gets me going.