Privacy has been a buzzword for years, discussed and talked about at different forums for different reasons. Today we live in a world of zetabytes of data and growing at an exponential scale, which has led to new and evolving data privacy laws. Today there are over 130 privacy laws which directly and indirectly regulates people’s data and guides in building and implementing data security posture.
We have seen a wave of privacy laws with GDPR and now US states are passing laws one after another leading to an emerging regulatory environment, consumer awareness and internal realization, organizations are moving toward at least a ‘checkbox compliance’ approach to privacy. Consent management, opt-out/unsubscribe, privacy policies and annual privacy reminders are all examples of that. Consider for a moment, though, that there is absolutely no privacy regulation in the world. Organizations don’t have to care about giving consumers choices about using their data, sharing data, telling them about the data they carry or deleting that data upon consumers’ request. In such a scenario, should organizations stop caring even if their consumers’ data might become vulnerable and might get compromised?
Intersection of Data Security and Privacy
It is easy to say that privacy and security are the two sides of the same coin. But let’s dig into this a bit further and consider two simple scenarios:
1. An organization does its utmost to adhere to privacy regulations. They care about their consumers’ right to access their own data and the right to be forgotten. They provide their consumers control over who their data may be shared with. They manage and track consumer consent properly so that their consumers are not getting bombarded with unwanted campaigns if they have already expressed their desire to avoid that. However, this organization routinely suffers from data breaches. Consumers’ data is here, there and everywhere within the organization with little visibility, little control and little security. As a consumer, would you feel comfortable doing business with such an organization and sharing your data with them?
2. Another organization does its best to secure all sensitive data, including consumers’ data. They know exactly where all their consumers’ data is across structured and unstructured data repositories. They know who has access to the data within their organization(s) and who that data is getting shared with external to their organization. Data is always encrypted at rest and even in-flight to the extent possible without losing all utility of that data. With these controls in place, this organization rarely suffers from data breaches. However, this organization has yet to implement all the necessary checkboxes for privacy compliance capabilities. When it comes to giving consumers a choice with regard to right-to-access/delete/sharing controls, this organization is left wanting.
The question is simple: Which of these two organizations would you feel comfortable doing business with? Neither are ideal, obviously, but the question comes down to whether you care more about privacy checkboxes or about your data security? Looking at it that way, I’d prefer an organization that can assure the security of my data; they probably deserve my business more than someone adhering to all the checkboxes but failing on the most important, even if unregulated, duty.
Data Maturity Model
As noted above, we have broken the data trust model into privacy and security readiness. Let’s start with data privacy readiness. It’s worth noting that there are elaborate exercises that assess an organization’s privacy readiness (I am referring to the privacy impact assessments). Be that as it may, it is useful to keep a tally of your data privacy readiness with a simple model like this.
Data Privacy Readiness Assessment
1. Consent management
Customers’ consent expressed through any channel is logged, managed and acted upon centrally.
2. Data subject access requests
Your customers can make a request to you to share any and all data you are carrying about them.
3. Right to be forgotten (RTBF)
Your customers can easily make a request to have you delete any data about them, subject to legal/regulatory reasons for data retention.
4. Consumer control over data sharing
Your customers control what data you share and with whom.
5. Records of processing activity (RoPA)
Your ability to conduct a regular sensitive data audit and generate a RoPA report.
Data Security Readiness Assessment
Once completed, move on to defining your data security readiness.
1. 360 degree view of data
A complete view of all sensitive data your organization has on-premises.
2. Unstructured and Structured data map
A complete view of all sensitive data stored in data repositories in Text, Image, Audio and Video formats.
3. 360 degree view of user access
a. Whose data exists within your company.
4. 360 degree view of third party
a. How is your sensitive data getting shared (or getting leaked) outside of your organization?
5. Risk Detection and Remediation automation
a. How are risks handled and minimized within your organization once detected?
6. Access automation for unstructured/structured data
a. Continuous monitoring of content being accessed by individuals.
The Future – Data Security & Privacy together
Data observability is just the first step. Next, you can implement policy-based automation so that any data risk gets contained before it can do any damage. Unwarranted exposures will get acted upon automatically before a malicious actor can get their hands on that data. Furthermore, with a tabulated view of all sensitive data shared with each partner, you can automatically send notices to each of your partners asking them to delete shared data.
Once you have personal data visibility you can build effective guardrails for your organization’s security posture, that should be the fundamental requirement. Once data mapping is in place, data privacy kicks into the picture.
Building effective Privacy Assessment and ROPA (Record of Processing Activity) with intelligent data cataloging, creating privacy policies pertaining to each law are the fundamental rights.
This decade will be about how we bridge the gap between data security and privacy, making sure the data is compliant and secured at all times.