Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Chris Babel
Chris Babel
Connect Directly
E-Mail vvv

The Problem with Automating Data Privacy Technology

Managing complex and nuanced consumer rights requests presents a unique challenge for enterprises in today's regulated world of GDPR and CCPA. Here's why.

As privacy laws around the globe proliferate and evolve, company leaders must be careful not to approach privacy compliance as an item to check off a list. Instead of employing a reactive strategy built around ad hoc responses to new laws and amendments, organizations should deploy a more proactive approach. To do so, they'll need to develop scalable processes that ingrain privacy into how the company manages its data. A scalable approach to privacy can help conserve resources, including budget, and create a lasting competitive edge.

Privacy technology platforms on the market automate some of the processes behind a scalable privacy program. As we'll learn, the term "automation" carries a few distinct meanings, and only platforms that adhere to a specific definition can provide the proactive data enablement needed for operationalized compliance at scale. When we hear the term "automation" as it relates to technology generally, it refers to tools that enable the automatic processing of repetitive tasks. However, in the privacy compliance world specifically, "automation" often refers to the ability to connect different platforms via APIs to integrate data sources and enterprise systems.

The abilities to reduce the hours typically needed for rote tasks and connecting systems to one another are important. Unfortunately, for building data privacy compliance at scale and unlocking the value of data, these types of automation aren't enough. [Editor's note: The author is the chief executive officer of a company that provides privacy management software and services, as do several other vendors.] Consider a consumer request. The California Consumer Protection Act (CCPA) stipulates that consumers "have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected." Consumers may also submit a number of other requests pertaining to how companies collect and handle their data. Other privacy laws contain similar stipulations.

Automation technology can look up a consumer's name in a database, provide the controller (company) the requisite information, and help manage a request to delete data. But much of the "automation" technology for privacy is not intelligent and does not help organizations solve many of the challenges data privacy represents. For example, many technical solutions can automate repetitive tasks. Solutions that automate intelligently and in a sophisticated manner eliminate those repetitive tasks. Tasks such as consumer rights requests are different, nuanced, and complex. They require intelligent automation.

Intelligent automation goes beyond rote database lookups of consumer information. Technology for compliance at scale must be able to process an access request; analyze the request against the requirements of dozens of regulations; and determine what is different in each of those regulations, the risk present in the organization's data practices, and how each regulation must be handled as a result. This kind of intelligent technology provides a holistic view of how data moves across an organization.

The consumer rights request example is not exhaustive, but it illustrates the intelligent and flexible nature of technologies that can help operationalize privacy compliance at scale. What data privacy automation needs is technology that can accommodate existing laws and regulations with rules and logic in order to facilitate privacy program creation and management. This automated technology must be able to adapt to the speed that laws and enforcement actions change by producing a well-documented audit trail that manages not just compliance but the flow of data throughout the entire organization.

Sophisticated technologies like these can deliver data enablement. But to leverage the analyses, intelligent automation can provide, organizations must also be consistent in how they act on technology's insights to scale compliance. Intelligent automation can also establish a framework for driving consistency in business action across multiple regions, laws, and teams. For example, there are more than 130 different privacy laws worldwide. Intelligent automation can quickly search those laws for commonalities and provide actionable advice to business leaders about the risk obligations they face as they pertain to each law. This approach can underpin a scalable program that allows leaders to easily respond to new laws or changes to current laws.

With privacy technology, the word "automated" as a descriptor is used a lot. Yet few business leaders understand what that word currently means and what it needs to mean if they wish to scale their compliance programs. Today's existing automation technologies can help automate rote activities or connect disparate systems via APIs to reduce the reliance on manual tasks. While this form of automation can help with a "check-the-box" approach to privacy compliance, it will not allow organizations to understand how and why data is moving across a company. Only through intelligent automation will organizations learn how to turn data into a strategic asset, helping make privacy decisions quickly to harness the power of data not just to drive compliance but also greater business success.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."


As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.