Think PCI, HIPAA, and GDPR compliance is tough? There's a tsunami of similar laws on the way. Prepare your business for success with privacy by design.

October 13, 2021

4 Min Read

Nobody becomes a software developer to spend their time reading about Schrems II. Compliance can be frustrating. It doesn't have to be that way. You can build data privacy, data security, and data residency into your architecture, rather than bolt it on as an afterthought. It's an approach called privacy by design, and it's about to become more essential than ever.

If you think compliance with current privacy laws like PCI, HIPAA, GLBA, CCPA, and GDPR is tough, consider this: There's a tsunami of new and updated data protection laws being passed globally:

  • SOFIPO (Mexico)

  • Updated Data Privacy Act (Australia)

  • PIPL (China)

  • LGPD (Brazil)

  • Amended PDPA (Singapore)

  • DCIA (Canada)

Complying with these laws one by one (a piecemeal approach) will be a huge challenge for most companies. Worse, this approach leaves you with a mess of new tools that don't work with each other. You need a privacy-by-design approach so you can stop playing "compliance whack-a-mole" (less fun than it sounds!).

Building With Privacy by Design
With privacy by design, you go beyond current and future data privacy laws. Instead, you build effective data privacy as a fundamental part of your product. So, you solve the underlying problem while delivering value to customers. And isn't that more interesting than protecting against fines and lawsuits?

Customers want you to do the right thing, not just comply with the law. Surveys indicate that if a data breach occurs, your customers are more likely to blame you than to blame the hackers.

Future-Proof Compliance to Protect Your Customer Data
Look around and it's obvious — all companies need to go beyond a piecemeal approach to privacy compliance. Not only because a piecemeal approach is inefficient, but because it's ineffective.

After all, hackers are constantly working to find new exploits. True data privacy requires you to be forward-looking, to preempt the latest exploits from malicious hackers.

To see the weaknesses of a piecemeal approach, consider the 2020 data breach at Marriott International that exposed the personal information of 5.2 million customers. Marriott had implemented security and compliance solutions, but those weren't enough when compromised employee credentials were used to breach its security. And the company's existing solutions didn't detect the breach for over a month.

Customer Trust Is Priceless; Put Their Data in a Zero Trust Privacy Vault
Customer relationships are essential to any business. And those relationships depend on protecting customer data. What's the best way to protect this data while not losing the ability to use it? The answer: a zero trust data privacy vault.

With a zero trust privacy vault, you can manage and use data with strong security and privacy protection. This frees you to meet critical needs like data sharing and analytics while still protecting customer data. That's why Apple and Netflix built zero trust privacy vaults: so that they could build trust by protecting customer data. All without sacrificing data usability.

At Skyflow, we believe that every company that uses customer data needs a zero trust privacy vault. Otherwise, privacy by design remains beyond reach. You have to either build a zero trust data privacy vault, or buy one.

So, what's a zero trust privacy vault, and how does it work?

Inside the Zero Trust Data Privacy Vault
First of all, what do I mean by "zero trust?" Zero trust architecture is based on the idea that security doesn't end with securing a network perimeter. Instead, you design for data security as if there is no network perimeter. So instead of trusting specific users and devices, you assume that all users and devices are a potential threat.

And of course, you need features like access control and effective encryption to ensure usability and security:

  • Fine-Grained Access Control: With your customer data secured in a well-designed zero trust data privacy vault, you can control who sees what, when, where, and how. So you can keep your most sensitive data and broadest customer data queries away from employees who don't need them. And away from malicious hackers.

  • Polymorphic Data Encryption: Encryption-at-rest is required by several privacy laws, but it isn't always sufficient. If Social Security numbers (SSNs) or other sensitive data are managed loosely in your code after being decrypted, are you providing true privacy? A well-designed zero trust data privacy vault should let you treat each type of sensitive data differently, so when you only need the last four digits of a customer's SSN, you don't decrypt the full SSN — only the last four digits.

Of course, this is just scratching the surface of privacy vaults. The new privacy laws tsunami is coming, and leading companies (like Netflix) are building zero trust privacy vaults or buying them.

Learn about how Skyflow approaches zero trust when building the world's first data privacy vault delivered as an API.

About the Author


Anshu Sharma is a serial entrepreneur and angel investor. He co-founded Clearedin, where he serves as Executive Chairman, and Suki, a digital assistant for doctors. Previously, he served as venture partner at Storm Ventures and was vice president of platform at Salesforce. He has invested in over 25 startups, including Nutanix, Algolia, Workato, and RazorPay.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights