Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Chris Babel
Chris Babel
Connect Directly
E-Mail vvv

The Problem with Automating Data Privacy Technology

Managing complex and nuanced consumer rights requests presents a unique challenge for enterprises in today's regulated world of GDPR and CCPA. Here's why.

As privacy laws around the globe proliferate and evolve, company leaders must be careful not to approach privacy compliance as an item to check off a list. Instead of employing a reactive strategy built around ad hoc responses to new laws and amendments, organizations should deploy a more proactive approach. To do so, they'll need to develop scalable processes that ingrain privacy into how the company manages its data. A scalable approach to privacy can help conserve resources, including budget, and create a lasting competitive edge.

Privacy technology platforms on the market automate some of the processes behind a scalable privacy program. As we'll learn, the term "automation" carries a few distinct meanings, and only platforms that adhere to a specific definition can provide the proactive data enablement needed for operationalized compliance at scale. When we hear the term "automation" as it relates to technology generally, it refers to tools that enable the automatic processing of repetitive tasks. However, in the privacy compliance world specifically, "automation" often refers to the ability to connect different platforms via APIs to integrate data sources and enterprise systems.

The abilities to reduce the hours typically needed for rote tasks and connecting systems to one another are important. Unfortunately, for building data privacy compliance at scale and unlocking the value of data, these types of automation aren't enough. [Editor's note: The author is the chief executive officer of a company that provides privacy management software and services, as do several other vendors.] Consider a consumer request. The California Consumer Protection Act (CCPA) stipulates that consumers "have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected." Consumers may also submit a number of other requests pertaining to how companies collect and handle their data. Other privacy laws contain similar stipulations.

Automation technology can look up a consumer's name in a database, provide the controller (company) the requisite information, and help manage a request to delete data. But much of the "automation" technology for privacy is not intelligent and does not help organizations solve many of the challenges data privacy represents. For example, many technical solutions can automate repetitive tasks. Solutions that automate intelligently and in a sophisticated manner eliminate those repetitive tasks. Tasks such as consumer rights requests are different, nuanced, and complex. They require intelligent automation.

Intelligent automation goes beyond rote database lookups of consumer information. Technology for compliance at scale must be able to process an access request; analyze the request against the requirements of dozens of regulations; and determine what is different in each of those regulations, the risk present in the organization's data practices, and how each regulation must be handled as a result. This kind of intelligent technology provides a holistic view of how data moves across an organization.

The consumer rights request example is not exhaustive, but it illustrates the intelligent and flexible nature of technologies that can help operationalize privacy compliance at scale. What data privacy automation needs is technology that can accommodate existing laws and regulations with rules and logic in order to facilitate privacy program creation and management. This automated technology must be able to adapt to the speed that laws and enforcement actions change by producing a well-documented audit trail that manages not just compliance but the flow of data throughout the entire organization.

Sophisticated technologies like these can deliver data enablement. But to leverage the analyses, intelligent automation can provide, organizations must also be consistent in how they act on technology's insights to scale compliance. Intelligent automation can also establish a framework for driving consistency in business action across multiple regions, laws, and teams. For example, there are more than 130 different privacy laws worldwide. Intelligent automation can quickly search those laws for commonalities and provide actionable advice to business leaders about the risk obligations they face as they pertain to each law. This approach can underpin a scalable program that allows leaders to easily respond to new laws or changes to current laws.

With privacy technology, the word "automated" as a descriptor is used a lot. Yet few business leaders understand what that word currently means and what it needs to mean if they wish to scale their compliance programs. Today's existing automation technologies can help automate rote activities or connect disparate systems via APIs to reduce the reliance on manual tasks. While this form of automation can help with a "check-the-box" approach to privacy compliance, it will not allow organizations to understand how and why data is moving across a company. Only through intelligent automation will organizations learn how to turn data into a strategic asset, helping make privacy decisions quickly to harness the power of data not just to drive compliance but also greater business success.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."


As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.