Mark Settle
Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.
Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.
Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.
The first wave of innovation
A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:
Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.
Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.
Privacy Operations. PrivacyOps platforms perform multiple functions, either inherently or through integrations with other tools. These platforms typically possess some combination of data discovery, cataloging and access control capabilities. They are frequently used to manage consent privileges, regulatory controls and privacy incidents. They furnish the evidence needed to achieve auditable compliance with relevant privacy regulations. OneTrust, TrustArc, Securiti.ai and Wirewheel are leading PrivacyOps vendors.
The next wave of innovation
The next generation of privacy management tools will build upon the capabilities referenced above and focus on the following functional areas. Early entrants already exist in some of these areas but additional investment and innovation is needed.
Data usage monitoring. As indicated above, privacy security tools have a higher standard of success than conventional infosec tools because they need to prevent the usage of personal data in ways that were never prescribed or implied by the consent agreements that were used to collect such data in the first place. The usage provisions of most consent agreements are too generalized to be translated into an exhaustive set of explicit use cases that can be used to detect inappropriate usage.
This is an area where the application of machine learning and artificial intelligence techniques to identify anomalous usage patterns could pay major dividends. Early detection of new, novel or suspicious data flows based upon departures from past behavior would materially improve a company’s ability to deter misuse. In much the same way that conventional Security Incident and Event Management (SIEM) tools were developed to provide early warning of security intrusions and exfiltration events, a new generation of Privacy Incident and Event Management (PIEM) tools are needed to detect seemingly benign data flows that violate the terms of usage that were guaranteed to the personal data provider. New usage insights could potentially be provided by API management platforms with more granular data inspection capabilities. Deeper insight into the delegation and usage of fine-grained end user authentication privileges could be a useful means of policing inappropriate data flows as well.
Self-service rights management. In reality, consumers rarely read or understand the rights they’ve surrendered or retained when they provide personal information to a commercial business. They simply don’t have the time, interest or knowledge to comprehend the terms or implications of the consent agreements they’ve accepted. Any technology that can provide individuals with a deeper understanding of the rights they’ve retained; the ability to exercise those rights directly without the facilitation of an intermediary agent; comparative insight into the relative stringency or laxness of the safeguards guaranteed by different agreements; or operational insight into the implementation or effectiveness of such safeguards would be hugely welcomed by most individuals. Information of this nature could be used to construct privacy scores for corporations that consumers could use to protect their personal data in much the same way that corporations use the credit scores of their customers to protect their profits.
Sophisticated self-service tools will also pay dividends for corporations by enabling them to cope with the continual expansion of data provider rights without expanding the administrative staff required to fulfill individual requests for data access, viewing, editing and deletion.
Application development tools. Privacy by design refers to the construction of IT systems using a set of architectural principles and associated business practices that automatically protect personal data from its point of collection to its point of destruction with no action required on the part of the individual providing such data. New development tools are needed to incorporate privacy-related features in the construction of applications and systems that adhere to these principles. Privacy-specific development tools such as programming kits, software widgets and API services could potentially be used to automate the maintenance of privacy data catalogs, cleanse and normalize data collected by different systems, encrypt and obfuscate specific data types, manage data rights and fulfill the requests of data providers.
Early entrants in this space are emerging. Ethyca currently offers developers a variety of data discovery, viewing, editing and deletion services that can be used to customize the way individuals interact with their personal data while navigating a consumer website or e-commerce platform. Skyflow and Evervault provide storage as a service capabilities that automate the obfuscation of privacy data. Additional tools for data modeling and provisioning would be valuable additions to this embryonic engineering toolkit.
Risk reduction or revenue opportunity?
The current and future capabilities listed above can go a long way toward reducing the business risks associated with the ever-expanding and sometimes chaotic privacy landscape confronting every enterprise. Enlightened companies may consider this landscape to be as much of a business opportunity as it is a risk. Most B2C companies have spent the last five years digitally transforming the online experiences of their customers, making online interactions more substantive, personalized and engaging.
During the next five years, B2C companies that provide their customers with a superior privacy experience are highly likely to gain a competitive edge. Investments in privacy tools and management practices now are almost certain to deliver major business dividends in the future.
Comment