Partner Perspectives

How CISOs Can Manage the Intersection of Security, Privacy, And Trust

Integrating a subject rights request tool with security and compliance solutions can help identify potential data conflicts more efficiently and with greater accuracy.

There’s an old adage among cybersecurity professionals: You can’t protect what you can’t see. And with data exploding literally everywhere, it has become increasingly hard to protect. 

The World Economic Forum estimates that by 2025, the volume of data generated each day will reach 463 exabytes (EB) globally. To put that number into perspective, 1 EB is equivalent to 1 billion gigabytes. CISOs are already required to guard sprawling corporate and customer data at all costs or risk hefty legal and compliance fines; now they face an even tougher challenge. 

Countries around the world are implementing comprehensive privacy requirements, with 71% of countries already have some form of data protection and privacy legislation in place. With increasing complexities and changes in the regulatory landscape, organizations must ensure that privacy protection remains central to their operations.

Data Privacy and Data Protection Challenges

There's a significant overlap between data privacy and data protection. You can't have one without the other, and improved data security and transparent commitments to customer privacy can increase trust. CISOs play an important role in driving that overall trust by selecting the right mix of automated, next-generation data protection solutions that can protect data and respect customer preferences for how data is used.

In the past few years, customers have been asking for data privacy solutions embedded into the cloud services they use to drive their businesses. They were facing three key challenges:

  • They struggled to identify and manage personal data in their existing cloud environments. They also didn’t have the right tools in place to discover and define what personal data actually was.
  • They had lots of archaic, manual processes in place to manage risk. They were using spreadsheets to keep data private, and they struggled to keep up.
  • They were facing subject rights requests (SRRs) that were introduced by GDPR, CCPA, and many other regulations. Customers needed a way to execute these subject rights requests.

Managing SRRs At Scale

Responding to SRRs can be resource-intensive, costly, and difficult to manage. An IAPP/EY report found more than half of organizations handle SRRs manually, while one in three has automated the process. According to Gartner, most organizations process between 51 and 100 SRRs per month at a cost of more than $1,500 per request. As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations' resources even further.

To process an SRR, an organization must verify the data subject to make sure that the individual is who they say they are and has the rights to the information. Then it can collect the information, review, redact where appropriate, and provide the response to the requester in an auditable manner.

Most organizations have processes in place for SRR responses but rely on email for collaboration, electronic discovery tools for search, and manual reviews to identify data conflicts, such as a file containing multiple people’s privacy relevant data. These processes can work, but they don't scale. They also create data sprawl and additional security and compliance risk.

Instead, organizations should focus on creating a standardized and integrated process to support SRR management. That process begins with finding relevant data, identifying data conflicts, triaging multiperson data and legal conflicts, and finally reviewing the data set across multiple teams before responding to the subject's request. Automating data discovery and retrieval is crucial. After all, the faster and easier a company can search for data, estimate data volume, and adjust search queries, the more efficient its SRR process will be. This can also help reduce the risk of missing key information, which can be a costly error that causes companies to become noncompliant.

Integrating an SRR tool with information security and compliance solutions can help identify potential data conflicts more efficiently and with greater accuracy. We also recommend organizations take advantage of a robust triage and review platform, ensure secure and compliant collaboration, and choose a solution that is compatible with their existing privacy ecosystems. Doing so will allow them to respond to SRRs in a unified manner across their entire data estates.

Ultimately, if companies want to leverage the power that data has to offer, they must first be able to protect it — and data privacy goes hand in hand with data security. Learn more about how you can streamline data privacy protections and SSRs by downloading our e-book.

Read more Partner Perspectives from Microsoft Security.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading