The Problem with Automating Data Privacy Technology
Managing complex and nuanced consumer rights requests presents a unique challenge for enterprises in today's regulated world of GDPR and CCPA. Here's why.
May 13, 2020
5 Min Read
As privacy laws around the globe proliferate and evolve, company leaders must be careful not to approach privacy compliance as an item to check off a list. Instead of employing a reactive strategy built around ad hoc responses to new laws and amendments, organizations should deploy a more proactive approach. To do so, they'll need to develop scalable processes that ingrain privacy into how the company manages its data. A scalable approach to privacy can help conserve resources, including budget, and create a lasting competitive edge.
Privacy technology platforms on the market automate some of the processes behind a scalable privacy program. As we'll learn, the term "automation" carries a few distinct meanings, and only platforms that adhere to a specific definition can provide the proactive data enablement needed for operationalized compliance at scale. When we hear the term "automation" as it relates to technology generally, it refers to tools that enable the automatic processing of repetitive tasks. However, in the privacy compliance world specifically, "automation" often refers to the ability to connect different platforms via APIs to integrate data sources and enterprise systems.
The abilities to reduce the hours typically needed for rote tasks and connecting systems to one another are important. Unfortunately, for building data privacy compliance at scale and unlocking the value of data, these types of automation aren't enough. [Editor's note: The author is the chief executive officer of a company that provides privacy management software and services, as do several other vendors.] Consider a consumer request. The California Consumer Protection Act (CCPA) stipulates that consumers "have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected." Consumers may also submit a number of other requests pertaining to how companies collect and handle their data. Other privacy laws contain similar stipulations.
Automation technology can look up a consumer's name in a database, provide the controller (company) the requisite information, and help manage a request to delete data. But much of the "automation" technology for privacy is not intelligent and does not help organizations solve many of the challenges data privacy represents. For example, many technical solutions can automate repetitive tasks. Solutions that automate intelligently and in a sophisticated manner eliminate those repetitive tasks. Tasks such as consumer rights requests are different, nuanced, and complex. They require intelligent automation.
Intelligent automation goes beyond rote database lookups of consumer information. Technology for compliance at scale must be able to process an access request; analyze the request against the requirements of dozens of regulations; and determine what is different in each of those regulations, the risk present in the organization's data practices, and how each regulation must be handled as a result. This kind of intelligent technology provides a holistic view of how data moves across an organization.
The consumer rights request example is not exhaustive, but it illustrates the intelligent and flexible nature of technologies that can help operationalize privacy compliance at scale. What data privacy automation needs is technology that can accommodate existing laws and regulations with rules and logic in order to facilitate privacy program creation and management. This automated technology must be able to adapt to the speed that laws and enforcement actions change by producing a well-documented audit trail that manages not just compliance but the flow of data throughout the entire organization.
Sophisticated technologies like these can deliver data enablement. But to leverage the analyses, intelligent automation can provide, organizations must also be consistent in how they act on technology's insights to scale compliance. Intelligent automation can also establish a framework for driving consistency in business action across multiple regions, laws, and teams. For example, there are more than 130 different privacy laws worldwide. Intelligent automation can quickly search those laws for commonalities and provide actionable advice to business leaders about the risk obligations they face as they pertain to each law. This approach can underpin a scalable program that allows leaders to easily respond to new laws or changes to current laws.
With privacy technology, the word "automated" as a descriptor is used a lot. Yet few business leaders understand what that word currently means and what it needs to mean if they wish to scale their compliance programs. Today's existing automation technologies can help automate rote activities or connect disparate systems via APIs to reduce the reliance on manual tasks. While this form of automation can help with a "check-the-box" approach to privacy compliance, it will not allow organizations to understand how and why data is moving across a company. Only through intelligent automation will organizations learn how to turn data into a strategic asset, helping make privacy decisions quickly to harness the power of data not just to drive compliance but also greater business success.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."
About the Author(s)
As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently in the security industry as senior vice president and general manager of VeriSign's worldwide authentication services business. Chris also previously managed VeriSign's SSL and managed security services business. He holds a BA in Mathematical Methods in the Social Sciences and Economics with Highest Distinction from Northwestern University.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Causes and Consequences of IT and OT Convergence
Stopping Active Adversaries: Lessons from the Cyber Frontline
FortiSASE Customer Success Stories - The Benefits of Single Vendor SASE
Fortinet Named a Leader in the Forrester Wave: Zero Trust Edge (ZTE) Solutions
Migrations Playbook for Saving Money with Snyk + AWS